DNS Root Zone KSK2017 Rollover | CentOS 7 | Bind

 

Just like changing password, ICANN has decided to rollover DNS root zone KSK2010 to KSK2017.  Root zone Key Signing Key (KSK) is the top cryptographic key on DNSSEC mechanism.

 

Affected  Systems

You need to bother about it if

✔ You are running recursive/caching only DNS sever

✔ Your DNS server is doing DNSSEC validation

How to be sure your DNS server is validating DNSSEC ? Run below command  from your DNS server cmd

#dig @localhost dnssec-failed.org a +dnssec | grep HEADER
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 28119

If status = SERVFAIL ; DNSSEC is enabled

If status = NOERROR ; DNSSEC is disabled

Okay. I need to bother. What’s now ?

 

Solution Steps

The easiest way to make your server prepare for KSK-2017 is by making the server compatible with “Automated Updates of DNS Security (DNSSEC) Trust Anchors” (RFC 5011) and let automated update rollout. Following  steps are the  Redhat family specific

1. Make sure that you are having latest bind packages installed or at least 9.9

# yum install bind
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.dhakacom.com
* epel: ftp.cuhk.edu.hk
* extras: mirror.dhakacom.com
* updates: mirror.dhakacom.com
Package 32:bind-9.9.4-61.el7.x86_64 already installed and latest version
Nothing to do

2.   On option  /etc/named.conf  dnssec-validation auto;  is configured. You need to restart named service if you are making any change.

That’s it !

 

Validation

Your managed key have KSK2017 ( Key tag 20326).

# cat /etc/named.root.key 
managed-keys {
        # ROOT KEYS: See https://data.iana.org/root-anchors/root-anchors.xml
        # for current trust anchor information.
        #
        # This key (19036) is to be phased out starting in 2017. It will
        # remain in the root zone for some time after its successor key
        # has been added. It will remain this file until it is removed from
        # the root zone.
        . initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq QxA+Uk1ihz0=";

        # This key (20326) is to be published in the root zone in 2017.
        # Servers which were already using the old key should roll to the
        # new # one seamlessly.  Servers being set up for the first time
        # can use either of the keys in this file to verify the root keys
        # for the first time; thereafter the keys in the zone will be
        # trusted and maintained automatically.
        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN R1AkUTV74bU=";
};
#  cat /var/named/dynamic/managed-keys.bind
$ORIGIN .
$TTL 0  ; 0 seconds
@                       IN SOA  . . (
                                244        ; serial
                                0          ; refresh (0 seconds)
                                0          ; retry (0 seconds)
                                0          ; expire (0 seconds)
                                0          ; minimum (0 seconds)
                                )
                        KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 (
                                AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
                                bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
                                /RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
                                JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
                                oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
                                LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
                                Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
                                LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
                                ) ; KSK; alg = RSASHA256; key id = 19036
                        KEYDATA 20180824154419 20180118081629 19700101000000 257 3 8 (
                                AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
                                iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
                                7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
                                LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
                                efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
                                pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
                                A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
                                9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
                                ) ; KSK; alg = RSASHA256; key id = 20326

 

Reference:

  • https://www.youtube.com/watch?v=d7H1AkC9PIw
  • https://kb.isc.org/article/AA-01529/169/KSK-2010-Rollover.html
  • https://www.icann.org/dns-resolvers-updating-latest-trust-anchor
  • https://www.rfc-editor.org/rfc/rfc8145.txt

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.