Emergency Current and Published ZSK Rollover Using DNSSEC-Tools
Prev Chapter 13. Emergency ZSK Rollover (Published and Current ZSK Compromise) Next

Emergency Current and Published ZSK Rollover Using DNSSEC-Tools

The steps given below detail the steps that must be taken during emergency ZSK rollover when using DNSSEC-Tools to assist in rollover.

Stop Automatic Zone Rollover

The rollerd command must not be executing during this procedure.

# rollctl -halt [ENTER]
#

Generate New Current and Published Keys

Creating new Current and Published ZSKs may be done with a single zonesigner execution.

# zonesigner -genzsk zone.name [ENTER]
#

Fix the Keyrec File

The zonesigner command in the previous step will have left the compromised zone's keyrec file in an inconsistent state. Consequently, the keyrec file must be edited to return it to a valid state.

The steps below should be followed to fix the keyrec file for the Current ZSK keys.

  1. Find the name of the zone's keyrec file. This may be done with the following command:

    # lsroll -keyrec -terse rollrec-file [ENTER]
    #

  2. Find the name of the zone's Current ZSK signing set. Look for the zone keyrec entry for the compromised zone, and find its zskcur entry. This holds the name of the Current ZSK signing set.

  3. Get the names of the keys in the Current ZSK signing set. Look for the set keyrec entry for the Current ZSK signing set. The keys listed in that set's keys entry are the ZSK keys in the Current ZSK signing set.

  4. Edit the keyrec file and search for all key keyrec entries with a keyrec_type of "zskcur". Any keys with this type that are not in the Current signing set should be given the type "zskobs".

The steps below should be followed to fix the keyrec file for the Published KSK keys.

  1. Find the name of the zone's keyrec file. This may be done with the following command:

    # lsroll -keyrec -terse rollrec-file [ENTER]
    #

  2. Find the name of the zone's Published signing set. Look for the zone keyrec entry for the compromised zone, and find its zskpub entry. This holds the name of the Published ZSK signing set.

  3. Get the names of the keys in the Published signing set. Look for the set keyrec entry for the Published ZSK signing set. The keys listed in that set's keys entry are the ZSK keys in the Published ZSK signing set.

  4. Edit the keyrec file and search for all key keyrec entries with a keyrec_type of "zskpub". Any keys with this type that are not in the Published signing set should be given the type "zskobs".

Reload the Zone

The rndc will reload the name server configuration files and the zone contents. The name server process is assumed to be already running.

# rndc reload zone-name [ENTER]
#

Dispose of the Old Zone Key

Delete the old ZSK's .private and .key files.

Restart Automatic Zone Rollover

Automatic rollover may be restarted by executing the rollerd command. It should be given the same options as when it was originally started.

Prev Up Next
Chapter 13. Emergency ZSK Rollover (Published and Current ZSK Compromise) Home Manual Emergency Rollover of Current and Published ZSKs