/contrib/bind9/doc/arm/managed-keys.xml

https://bitbucket.org/freebsd/freebsd-head/ · XML · 100 lines · 79 code · 2 blank · 19 comment · 0 complexity · 8bd1264f7fcd7da448a462ba596ea271 MD5 · raw file 

    

  1. <?xml version="1.0" encoding="utf-8"?>
    2. 

  2. <!--
    3. 

  3.  - Copyright (C) 2010  Internet Systems Consortium, Inc. ("ISC")
    4. 

  4.  -
    5. 

  5.  - Permission to use, copy, modify, and/or distribute this software for any
    6. 

  6.  - purpose with or without fee is hereby granted, provided that the above
    7. 

  7.  - copyright notice and this permission notice appear in all copies.
    8. 

  8.  -
    9. 

  9.  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
    10. 

  10.  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
    11. 

  11.  - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
    12. 

  12.  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
    13. 

  13.  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
    14. 

  14.  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
    15. 

  15.  - PERFORMANCE OF THIS SOFTWARE.
    16. 

  16. -->
    17. 

  17. 

  18. <!-- $Id: managed-keys.xml,v 1.3 2010/02/03 23:49:07 tbox Exp $ -->
    19. 

  19. 

  20. <sect1 id="rfc5011.support">
    21. 

  21.   <title>Dynamic Trust Anchor Management</title>
    22. 

  22.   <para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
    23. 

  23.   anchor management. Using this feature allows 
    24. 

  24.   <command>named</command> to keep track of changes to critical
    25. 

  25.   DNSSEC keys without any need for the operator to make changes to
    26. 

  26.   configuration files.</para>
    27. 

  27.   <sect2>
    28. 

  28.     <title>Validating Resolver</title>
    29. 

  29.     <!-- TODO: command tag is overloaded for configuration and executables -->
    30. 

  30.     <para>To configure a validating resolver to use RFC 5011 to
    31. 

  31.     maintain a trust anchor, configure the trust anchor using a 
    32. 

  32.     <command>managed-keys</command> statement. Information about
    33. 

  33.     this can be found in 
    34. 

  34.     <xref linkend="managed-keys" />.</para>
    35. 

  35.     <!-- TODO: managed-keys examples
    36. 

  36. also in DNSSEC section above here in ARM -->
    37. 

  37.   </sect2>
    38. 

  38.   <sect2>
    39. 

  39.     <title>Authoritative Server</title>
    40. 

  40.     <para>To set up an authoritative zone for RFC 5011 trust anchor
    41. 

  41.     maintenance, generate two (or more) key signing keys (KSKs) for
    42. 

  42.     the zone. Sign the zone with one of them; this is the "active"
    43. 

  43.     KSK. All KSK's which do not sign the zone are "stand-by"
    44. 

  44.     keys.</para>
    45. 

  45.     <para>Any validating resolver which is configured to use the
    46. 

  46.     active KSK as an RFC 5011-managed trust anchor will take note
    47. 

  47.     of the stand-by KSKs in the zone's DNSKEY RRset, and store them
    48. 

  48.     for future reference. The resolver will recheck the zone
    49. 

  49.     periodically, and after 30 days, if the new key is still there,
    50. 

  50.     then the key will be accepted by the resolver as a valid trust
    51. 

  51.     anchor for the zone. Any time after this 30-day acceptance
    52. 

  52.     timer has completed, the active KSK can be revoked, and the
    53. 

  53.     zone can be "rolled over" to the newly accepted key.</para>
    54. 

  54.     <para>The easiest way to place a stand-by key in a zone is to
    55. 

  55.     use the "smart signing" features of 
    56. 

  56.     <command>dnssec-keygen</command> and 
    57. 

  57.     <command>dnssec-signzone</command>. If a key with a publication
    58. 

  58.     date in the past, but an activation date which is unset or in
    59. 

  59.     the future, " 
    60. 

  60.     <command>dnssec-signzone -S</command>" will include the DNSKEY
    61. 

  61.     record in the zone, but will not sign with it:</para>
    62. 

  62.     <screen>
    63. 

  63. $ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput>
    64. 

  64. $ <userinput>dnssec-signzone -S -K keys example.net</userinput>
    65. 

  65. </screen>
    66. 

  66.     <para>To revoke a key, the new command 
    67. 

  67.     <command>dnssec-revoke</command> has been added. This adds the
    68. 

  68.     REVOKED bit to the key flags and re-generates the 
    69. 

  69.     <filename>K*.key</filename> and 
    70. 

  70.     <filename>K*.private</filename> files.</para>
    71. 

  71.     <para>After revoking the active key, the zone must be signed
    72. 

  72.     with both the revoked KSK and the new active KSK. (Smart
    73. 

  73.     signing takes care of this automatically.)</para>
    74. 

  74.     <para>Once a key has been revoked and used to sign the DNSKEY
    75. 

  75.     RRset in which it appears, that key will never again be
    76. 

  76.     accepted as a valid trust anchor by the resolver. However,
    77. 

  77.     validation can proceed using the new active key (which had been
    78. 

  78.     accepted by the resolver when it was a stand-by key).</para>
    79. 

  79.     <para>See RFC 5011 for more details on key rollover
    80. 

  80.     scenarios.</para>
    81. 

  81.     <para>When a key has been revoked, its key ID changes,
    82. 

  82.     increasing by 128, and wrapping around at 65535. So, for
    83. 

  83.     example, the key "<filename>Kexample.com.+005+10000</filename>" becomes
    84. 

  84.     "<filename>Kexample.com.+005+10128</filename>".</para>
    85. 

  85.     <para>If two keys have ID's exactly 128 apart, and one is
    86. 

  86.     revoked, then the two key ID's will collide, causing several
    87. 

  87.     problems. To prevent this, 
    88. 

  88.     <command>dnssec-keygen</command> will not generate a new key if
    89. 

  89.     another key is present which may collide. This checking will
    90. 

  90.     only occur if the new keys are written to the same directory
    91. 

  91.     which holds all other keys in use for that zone.</para>
    92. 

  92.     <para>Older versions of BIND 9 did not have this precaution.
    93. 

  93.     Exercise caution if using key revocation on keys that were
    94. 

  94.     generated by previous releases, or if using keys stored in
    95. 

  95.     multiple directories or on multiple machines.</para>
    96. 

  96.     <para>It is expected that a future release of BIND 9 will
    97. 

  97.     address this problem in a different way, by storing revoked
    98. 

  98.     keys with their original unrevoked key ID's.</para>
    99. 

  99.   </sect2>
    100. 

  100. </sect1>
    101.