Step-by-Step DNSSEC-Tools Operator Guidance Document
Next
Step-by-Step DNSSEC-Tools Operator Guidance Document
Using the DNSSEC-Tools v1.0 distribution
SPARTA, Inc.
Table of Contents
1. Introduction
Organization of this Document
Key Concepts
Zones and Authentication Keys
Zone Rollover
Key-Tag Tables
Keyrec Files
Rollrec Files
Conventions Used in this Document
Acknowledgments
Comments
2. Configure DNSSEC-Tools
Check for Randomness
Create the DNSSEC-Tools Configuration File
BIND Name Server Execution
Protect Your Files!
3. Initially Signing a Zone
Sign the Zone with
zonesigner
4. Configuring and Serving a Signed Zone
Add the Signed Zone to the Name Server Configuration File
Enable DNSSEC
Check the Name Server Configuration File for Errors
Reload the Zone
Check that the Zone Loaded Properly
5. Checking Signature Expiration
Check the Zone for Expiring Signatures
6. Resigning a Zone
Resign the Zone with
zonesigner
7. Creating a Signed Delegation - Child Zone Activity
Securely Transfer the Keyset to the Parent
Wait for the Parent to Publish the DS Record
8. Creating a Signed Delegation - Parent Zone Activity
Ensure that the Child Keysets were Received Over a Secure Channel
Ensure that Each Received Keyset is for a Delegated Zone
Re-sign the Parent Zone
Reload the Zone
9. Current ZSK Rollover (Pre-Publish Scheme)
Pre-Publish Rollover Scheme
ZSK Rollover Using DNSSEC-Tools
Gather Zone Data
Initial Signing of Zones
Create the Rollrec File
Run the DNSSEC-Tools Rollover Daemon
Controlling the Rollover Process
Manual ZSK Rollover
10. KSK Rollover (Double-Signature Scheme)
Manual KSK Rollover
11. Emergency ZSK Rollover (Current ZSK Compromise)
Manual Emergency Current ZSK Rollover
12. Emergency ZSK Rollover (Published ZSK Compromise)
Manual Emergency Published ZSK Rollover
13. Emergency ZSK Rollover (Published and Current ZSK Compromise)
Emergency Current and Published ZSK Rollover Using DNSSEC-Tools
Stop Automatic Zone Rollover
Generate New Current and Published Keys
Fix the Keyrec File
Reload the Zone
Dispose of the Old Zone Key
Restart Automatic Zone Rollover
Manual Emergency Rollover of Current and Published ZSKs
14. Emergency KSK Rollover (KSK Compromise)
Emergency Current KSK Rollover Using DNSSEC-Tools
Inform Parent about the KSK Compromise
Wait for the Parent to Remove the Zone's DS Record
Stop Automatic Zone Rollover
Generate New Keys
Fix the Keyrec File
Perform Child Activities
Reload the Zone
Dispose of the Old Zone Key
Restart Automatic Zone Rollover
Manual Emergency Current KSK Rollover
15. Parent Action During Child KSK Compromise
Ensure that the KSK Compromise Notification Came Over a Secure Channel
Delete the Child's Keyset File at the Parent
Re-sign the Parent Zone
Reload the Zone
16. Migrate to the Toolset
Generate the Keyrec File
Verify the Keyrec File
Resign the Zone with zonesigner
17. Configure a Secure Resolver
Introduction
References
List of Tables
1.1.
Conventions
2.1.
DNSSEC-Tools Configuration Options
3.1.
zonesigner
Output Files
6.1.
zonesigner
Output Files
16.1.
Example Files