Revision [2543]

This is an old revision of dnssecroot made by JulianDemarchi on 2011-07-28 20:00:40.

 

Project pages:


Links:




Purpose

Sign the OpenNIC root zone

Tasks


Root Zone Script Changes


The makeroot.sh script will need to be modified a little bit to support signing a root zone. Currently the script will output a DNSSEC zone but not output this into the actual zone created. This will first need to be enabled. Next the script will need to know how to inject DS records for signing. Then finally the script will need to sign the end zone. The first and last changes are straight forward as the script was built with forethought.

Injecting the DS records into the zone is also easy, but it is complicated by the fact we need to plan where they will live on ns0. Basically a TLD will send their dsset-* file to ns0 for verification and pending injection into the root zone. The script will in theory just have to look in a directory for all dsset-* files to inject, it does not actually need knowledge of what zones it's injection information for.

An issue that can occur with DNSSEC is if there is an error or a misconfigured DS record makes it into the root zone it will break DNSSEC and possible the zone. In DNSSEC land, when an issue arise's from the DS key a SERVFAIL code is returned. We have to devise a method to check all DNSSEC signed TLDs that they work with the new zone. We come to an issue here. Do we generate the zone then test it once it's in prod? I haven't tested yet, but maybe named-checkzone will pick this up?

ZSK and KSK


The ZSK and KSK keys for the root zone will be created in a dir called dnssec in /etc/bind/ on ns0. It will be root RW only, no other permission bits will be set. This will ensure that only root can read these keys. As makeroot.sh is run by the root user, this will not call any issues.

Key Rolling

Read: Key Maintenance
The ZSK and KSK need to be regenerated every 3 or 6 months. This process is formally known as key-rolling. With TLDs this process will be integrated into the process of passing the dsset-* files to ns0. On ns0 there will be a certain key-rolling process. When the keys are first created, a file will also be created called CREATED. In this file will be the date the keys were created on. There will be a cron run once a week that checks this created date. When it comes down to the last week, it will email out everyday to remind the admin to re-generate the keys.

Distributing the root DS keys


The DS keys for the root zone need to be distributed to all T1 servers and any T2's who wish to use it to enable dnssec for opennic root. There has been quite a few discussions about how this will be done. Some ideas are;
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki