The steps given below detail the steps that must be taken during emergency KSK rollover when using DNSSEC-Tools to assist in rollover.
This communication between parent and child must be done securely using out-of-band mechanisms.
Before proceeding, wait for the parent zone to remove the DS record. This may be determined by using the dig command to retrieve the parent's DS record.
# dig @parent-IP-address DS zone.name
[ENTER]
...
:: flags: qr aa rd: QUERY: 1, ANSWER: 0,
AUTHORITY: 1, ADDITIONAL : 0
...
#
The rollerd command must not be executing during this procedure.
# rollctl -halt
[ENTER] |
| # |
Since the KSK has been compromised it must be regenerated. In addition, the ZSKs can no longer be trusted so they too must be regenerated. This may be done with a single zonesigner execution.
# zonesigner -genkeys zone.name
[ENTER] |
| # |
The zonesigner command in the previous step will have left the compromised zone's keyrec file in an inconsistent state. Consequently, the keyrec file must be edited to return it to a valid state.
The steps below should be followed to fix the keyrec file for the KSK keys.
Find the name of the zone's keyrec file. This may be done with the following command:
# lsroll -keyrec -terse rollrec-file
[ENTER] |
| # |
Find the name of the zone's Current KSK. Look for the zone keyrec entry for the compromised zone, and find its ksk entry. This holds the name of the KSK.
Edit the keyrec file and search for all key keyrec entries with a keyrec_type of "ksk". Any keys with this type that are not the Current KSK should be given the type "kskobs".
The steps below should be followed to fix the keyrec file for the Current ZSK keys.
Find the name of the zone's keyrec file. This may be done with the following command:
# lsroll -keyrec -terse rollrec-file
[ENTER] |
| # |
Find the name of the zone's Current ZSK signing set. Look for the zone keyrec entry for the compromised zone, and find its zskcur entry. This holds the name of the Current ZSK signing set.
Get the names of the keys in the Current ZSK signing set. Look for the set keyrec entry for the Current ZSK signing set. The keys listed in that set's keys entry are the ZSK keys in the Current ZSK signing set.
Edit the keyrec file and search for all key keyrec entries with a keyrec_type of "zskcur". Any keys with this type that are not in the Current signing set should be given the type "zskobs".
The steps below should be followed to fix the keyrec file for the Published KSK keys.
Find the name of the zone's keyrec file. This may be done with the following command:
# lsroll -keyrec -terse rollrec-file
[ENTER] |
| # |
Find the name of the zone's Published signing set. Look for the zone keyrec entry for the compromised zone, and find its zskpub entry. This holds the name of the Published ZSK signing set.
Get the names of the keys in the Published signing set. Look for the set keyrec entry for the Published ZSK signing set. The keys listed in that set's keys entry are the ZSK keys in the Published ZSK signing set.
Edit the keyrec file and search for all key keyrec entries with a keyrec_type of "zskpub". Any keys with this type that are not in the Published signing set should be given the type "zskobs".
See Chapter 7, Creating a Signed Delegation - Child Zone Activity for the steps that need to be performed if this zone is a secure delegation from another zone.
The rndc will reload the name server configuration files and the zone contents. The name server process is assumed to be already running.
# rndc reload zone-name
[ENTER] |
| # |