Just like changing password, ICANN has decided to rollover DNS root zone KSK2010 to KSK2017. Root zone Key Signing Key (KSK) is the top cryptographic key on DNSSEC mechanism.
Affected Systems
You need to bother about it if
✔ You are running recursive/caching only DNS sever
✔ Your DNS server is doing DNSSEC validation
How to be sure your DNS server is validating DNSSEC ? Run below command from your DNS server cmd
#dig @localhost dnssec-failed.org a +dnssec | grep HEADER ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28119
If status = SERVFAIL ; DNSSEC is enabled
If status = NOERROR ; DNSSEC is disabled
Okay. I need to bother. What’s now ?
Solution Steps
The easiest way to make your server prepare for KSK-2017 is by making the server compatible with “Automated Updates of DNS Security (DNSSEC) Trust Anchors” (RFC 5011) and let automated update rollout. Following steps are the Redhat family specific
1. Make sure that you are having latest bind packages installed or at least 9.9
# yum install bind Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirror.dhakacom.com * epel: ftp.cuhk.edu.hk * extras: mirror.dhakacom.com * updates: mirror.dhakacom.com Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version Nothing to do
2. On option /etc/named.conf dnssec-validation auto; is configured. You need to restart named service if you are making any change.
That’s it !
Validation
Your managed key have KSK2017 ( Key tag 20326).
# cat /etc/named.root.key managed-keys { # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml # for current trust anchor information. # # This key (19036) is to be phased out starting in 2017. It will # remain in the root zone for some time after its successor key # has been added. It will remain this file until it is removed from # the root zone. . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0="; # This key (20326) is to be published in the root zone in 2017. # Servers which were already using the old key should roll to the # new # one seamlessly. Servers being set up for the first time # can use either of the keys in this file to verify the root keys # for the first time; thereafter the keys in the zone will be # trusted and maintained automatically. . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU="; };
# cat /var/named/dynamic/managed-keys.bind $ORIGIN . $TTL 0 ; 0 seconds @ IN SOA . . ( 244 ; serial 0 ; refresh (0 seconds) 0 ; retry (0 seconds) 0 ; expire (0 seconds) 0 ; minimum (0 seconds) ) KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 ( AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3 LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ) ; KSK; alg = RSASHA256; key id = 19036 KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 ( AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN 7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5 LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8 efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7 pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws 9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ) ; KSK; alg = RSASHA256; key id = 20326
Reference:
- https://www.youtube.com/watch?v=d7H1AkC9PIw
- https://kb.isc.org/article/AA-01529/169/KSK-2010-Rollover.html
- https://www.icann.org/dns-resolvers-updating-latest-trust-anchor
- https://www.rfc-editor.org/rfc/rfc8145.txt