Discussion:
DNSSEC: give KSK from my domain to parent zones
Roberto Carna
2018-10-03 19:24:22 UTC
Permalink
Dear people, I have DNSSEC implemented in my authoritative domain in BIND
9.10. I've created the KSK and ZSK too.

Let's say my domain is "robert.com.uk".

How do I have to give the KSK (key signing key) to my parent zones, let's
say COM and UK ???

And what if COM or UK don't use DNSSEC at all ???

Thanking in advance,

Robert
Anand Buddhdev
2018-10-03 19:31:12 UTC
Permalink
On 03/10/2018 21:24, Roberto Carna wrote:

Hi Roberto,
Post by Roberto Carna
Dear people, I have DNSSEC implemented in my authoritative domain in BIND
9.10. I've created the KSK and ZSK too.
Let's say my domain is "robert.com.uk".
How do I have to give the KSK (key signing key) to my parent zones, let's
say COM and UK ???
Typically, you won't submit the KSK, but a hash of it, called a DS
record. You can generate a DS record using the dnssec-dsfromkey tool,
which is part of BIND.

Your domain will be registered through some registrar. You need to log
into your registrar's web interface, and submit your DS record through
that interface. They will transmit the DS record to the COM or UK
registry which will publish the DS record.
Post by Roberto Carna
And what if COM or UK don't use DNSSEC at all ???
Well, COM and UK *are* signed. But if the parent isn't signed, then
there's no point in publishing DS records, because there's no way to
validate the chain of trust. In fact, in general unsigned parent zones
will not even accept DS records.

Regards,
Anand
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews
2018-10-03 19:35:45 UTC
Permalink
You give the matching DS record via your registrar much the same way as you do the NS RRset or glue address records. If your registrar doesn’t support DNSSEC you will need to change registrars.

If your parent zone uses CDS or CDNSKEY then publish those records at the zone apex.

If your parent zone is not signed then start complaining.
--
Mark Andrews
Dear people, I have DNSSEC implemented in my authoritative domain in BIND 9.10. I've created the KSK and ZSK too.
Let's say my domain is "robert.com.uk".
How do I have to give the KSK (key signing key) to my parent zones, let's say COM and UK ???
And what if COM or UK don't use DNSSEC at all ???
Thanking in advance,
Robert
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Roberto Carna
2018-10-04 15:03:23 UTC
Permalink
Hello, thanks to both of you for your help. Now I understand I have to
contact my registrar in order to give it the DS of the KSK.

Please I have a last question:

I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk" and some other domains from our clients,
let's say:

client1.com.uk
client2.edu.uk
client3.info.uk

Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?

And do I have to tell my clients I will sign their zones or it is
transparent for them?

Thanks a lot again, regards !!!
Post by Mark Andrews
You give the matching DS record via your registrar much the same way as
you do the NS RRset or glue address records. If your registrar doesn’t
support DNSSEC you will need to change registrars.
If your parent zone uses CDS or CDNSKEY then publish those records at the zone apex.
If your parent zone is not signed then start complaining.
--
Mark Andrews
Dear people, I have DNSSEC implemented in my authoritative domain in BIND
9.10. I've created the KSK and ZSK too.
Let's say my domain is "robert.com.uk".
How do I have to give the KSK (key signing key) to my parent zones, let's
say COM and UK ???
And what if COM or UK don't use DNSSEC at all ???
Thanking in advance,
Robert
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Mark Elkins
2018-10-04 19:16:57 UTC
Permalink
Post by Roberto Carna
Hello, thanks to both of you for your help. Now I understand I have to
contact my registrar in order to give it the DS of the KSK.
I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk <http://robert.com.uk>" and some
client1.com.uk <http://client1.com.uk>
client2.edu.uk <http://client2.edu.uk>
client3.info.uk <http://client3.info.uk>
Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?
I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new DNS
provider - there is no security conflict in the move from shared keys.

(Use a different Key)
Post by Roberto Carna
And do I have to tell my clients I will sign their zones or it is
transparent for them?
DNSSEC is a good thing - but I'd suggest telling the clients that this
is happening. DNSSEC usually introduces the need to have extra DNS
actions happen - even on an otherwise static Zone. Thus - there is more
that might possibly break. On the other hand, it make resolving items in
that zone far more secure and allows for newer possibilities such as
TLSA records for Web and Mail services. I believe the customer should be
made aware of all these pros and cons.

(Yes)
Post by Roberto Carna
Thanks a lot again, regards !!!
You give the matching DS record via your registrar much the same
way as you do the NS RRset or glue address records.  If your
registrar doesn’t support DNSSEC you will need to change registrars.
If your parent zone uses CDS or CDNSKEY then publish those records
at the zone apex. 
If your parent zone is not signed then start complaining.
-- 
Mark Andrews
Post by Roberto Carna
Dear people, I have DNSSEC implemented in my authoritative domain
in BIND 9.10. I've created the KSK and ZSK too.
Let's say my domain is "robert.com.uk <http://robert.com.uk>".
How do I have to give the KSK (key signing key) to my parent
zones, let's say COM and UK ???
And what if COM or UK don't use DNSSEC at all ???
Thanking in advance,
Robert
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark James ELKINS - Posix Systems - (South) Africa
***@posix.co.za Tel: +27.128070590 Cell: +27.826010496
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
Roberto Carna
2018-10-04 19:56:43 UTC
Permalink
Thanks a lot Mark, regards !!!
Post by Roberto Carna
Hello, thanks to both of you for your help. Now I understand I have to
contact my registrar in order to give it the DS of the KSK.
I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk" and some other domains from our
client1.com.uk
client2.edu.uk
client3.info.uk
Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?
I believe common practise is to create separate KSK and ZSK keys for each
domain - so each domain will have their own DS records in the parent. This
way, if one of the clients moves their domain to a new DNS provider - there
is no security conflict in the move from shared keys.
(Use a different Key)
And do I have to tell my clients I will sign their zones or it is
transparent for them?
DNSSEC is a good thing - but I'd suggest telling the clients that this is
happening. DNSSEC usually introduces the need to have extra DNS actions
happen - even on an otherwise static Zone. Thus - there is more that might
possibly break. On the other hand, it make resolving items in that zone far
more secure and allows for newer possibilities such as TLSA records for Web
and Mail services. I believe the customer should be made aware of all these
pros and cons.
(Yes)
Thanks a lot again, regards !!!
Post by Mark Andrews
You give the matching DS record via your registrar much the same way as
you do the NS RRset or glue address records. If your registrar doesn’t
support DNSSEC you will need to change registrars.
If your parent zone uses CDS or CDNSKEY then publish those records at the zone apex.
If your parent zone is not signed then start complaining.
--
Mark Andrews
Dear people, I have DNSSEC implemented in my authoritative domain in BIND
9.10. I've created the KSK and ZSK too.
Let's say my domain is "robert.com.uk".
How do I have to give the KSK (key signing key) to my parent zones, let's
say COM and UK ???
And what if COM or UK don't use DNSSEC at all ???
Thanking in advance,
Robert
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
--
For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Chris Thompson
2018-10-05 15:57:53 UTC
Permalink
[...]
Post by Mark Elkins
Post by Roberto Carna
I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk <http://robert.com.uk>" and some
client1.com.uk <http://client1.com.uk>
client2.edu.uk <http://client2.edu.uk>
client3.info.uk <http://client3.info.uk>
Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?
I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new DNS
provider - there is no security conflict in the move from shared keys.
Even if you make the (RDATA of) the KSKs identical for the different zones
the DS records you will need to insert into the parent zones will be
different, because the hashing algorithm includes the KSK owner name
(i.e. the zone name) in its input. See RFC 4034 section 5.1.4.

Similarly using ZSKs with identical RDATA in the different zones will
not make any of the RRSIGs the same (e.g. for the www.[zonename] RRs
in different zones), because the full owner name is included in the
hashing input.
Post by Mark Elkins
(Use a different Key)
Yes. Because there are no advantages whatsoever in doing otherwise!
--
Chris Thompson
Email: ***@cam.ac.uk



_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Roberto Carna
2018-10-05 16:14:11 UTC
Permalink
Thanks a lot to all of you....Now I understand.

But when I check for the DNSEC support with:

dig com.uk +dnssec +multi

I can see there is no support at all...so use DNSSEC for xxx.com.uk has no
sense at all....hasn't it?

; <<>> DiG 9.10.3-P4-Debian <<>> com.uk +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55494
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 8, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;com.uk. IN A

;; AUTHORITY SECTION:
uk. 1548 IN SOA dns1.nic.uk. hostmaster.nic.uk. (
1403852443 ; serial
7200 ; refresh (2 hours)
900 ; retry (15 minutes)
2419200 ; expire (4 weeks)
10800 ; minimum (3 hours)
)
uk. 1548 IN RRSIG SOA 8 1 172800 (
20181019160738 20181005150738 43056 uk.
obD8WjHpNUB/GeEdlp2SaJBsp9D0N03cLTCpEn+0UpQF
V75NiX509EzgTeT9Eh0du0kIptjMZKyDON/5ZN7p21BI
E3srTdrMVTNyNqAEa1SZWlTBWcs4FNzFoVkJVfJXwHpF
IDF2ZLlNxjlP9xgWr+YKcEtqUTYF4lfscx5tOF8= )
m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181018194223 20181004184445 43056 uk.
RH6cfZjzah93ucxwynKropExMhvWznqV4ySiWAsWLw3T
3IaCQoF/rS5Np/PwcuIzZ5ZLR0dJ/56prKWSKA6l5LBz
4dQWvlceb8oY3o1WvBXn/+UjptIMP87LPtNLxU/JsrGJ
YpO6qsBZXTerhmEAAZi+9tLBCo5dW5CO8n5PlP0= )
m3q6e6871m2p91qts9clvtgqbl1vua1i.uk. 1548 IN NSEC3 1 1 0 - (
M4FDARQNDI0P0UGAD29OKGNPRJKAE5SP
NS DS RRSIG )
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181019000937 20181004233936 43056 uk.
ca9n8B+3hjnDKh8KHsM5gDGYq9bJ4Rjh/EQ7fVSO4FK4
VDDFtzhDvQySLfudSq3P0pGdqye/BLjTgC6p4pNUeFhL
SPjJsjcA5SvSha7ZNGgAjjdC4t7Sg0yyGnLxfx129lX2
AbhbpJUjCQ5eX6U56t2IH5/8Dg8uAPOFUF6Ogmk= )
u1fmklfv3rdcnamdc64sekgcdp05bbiu.uk. 1548 IN NSEC3 1 1 0 - (
U1LG7J6JO1NFSU55LON2UMGEUJO912TU
NS SOA RRSIG DNSKEY NSEC3PARAM
TYPE65534 )
uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN RRSIG NSEC3 8 2 10800 (
20181018165433 20181004163523 43056 uk.
Tt5nrfM6nuJOgMPjULGi2WIN5RB3EZmv+nqODimBe5x8
9axQltyX7OR8iHNR6DzQl33aABgfvC/htUpKmtvOlQ6P
6V+2f/1I021Qcnuo7thu3V3a+ad1XFfHp6IqpEHi0Qxz
H4OsgvzFoycF+v0xpSr4ZSeuElJ0whKBlGWKAuM= )
uj4hvltjom8uroed1a11c346ko9rcp7a.uk. 1548 IN NSEC3 1 1 0 - (
UJSIFQNCG7CTSHF49P4L7HNBMPOSGRMB
NS DS RRSIG )

;; Query time: 0 msec
;; SERVER: 172.17.10.25#53(172.17.10.25)
;; WHEN: Fri Oct 05 13:12:28 -03 2018
;; MSG SIZE rcvd: 1011


Regards!!!
Post by Chris Thompson
[...]
Post by Mark Elkins
Post by Roberto Carna
I have two DNS servers running BIND 9.10, they have delegated my own
domain, let's say "robert.com.uk <http://robert.com.uk>" and some
client1.com.uk <http://client1.com.uk>
client2.edu.uk <http://client2.edu.uk>
client3.info.uk <http://client3.info.uk>
Can I sign theses client zones with my ZSK, or do I have to have a
different key for each domain?
I believe common practise is to create separate KSK and ZSK keys for
each domain - so each domain will have their own DS records in the
parent. This way, if one of the clients moves their domain to a new DNS
provider - there is no security conflict in the move from shared keys.
Even if you make the (RDATA of) the KSKs identical for the different zones
the DS records you will need to insert into the parent zones will be
different, because the hashing algorithm includes the KSK owner name
(i.e. the zone name) in its input. See RFC 4034 section 5.1.4.
Similarly using ZSKs with identical RDATA in the different zones will
not make any of the RRSIGs the same (e.g. for the www.[zonename] RRs
in different zones), because the full owner name is included in the
hashing input.
Post by Mark Elkins
(Use a different Key)
Yes. Because there are no advantages whatsoever in doing otherwise!
--
Chris Thompson
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
G.W. Haywood via bind-users
2018-10-05 16:35:39 UTC
Permalink
Hi there,
Post by Roberto Carna
dig com.uk +dnssec +multi
I can see there is no support at all...so use DNSSEC for xxx.com.uk has no
sense at all....hasn't it?
Do you mean "xxx.co.uk" and not "xxx.com.uk"?
--
73,
Ged.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Loading...