Update DNSSEC Zone

Discussion:

Update DNSSEC Zone

Peter Fraser

2021-05-10 01:48:38 UTC

HI All,
I really would appreciate a pointer in the right direction. I took over a bind server recently. I am not new to bind. I have used it many times and honestly prefer it to windows dns but I have never worked with DNSSEC. I have been reading all day and I still canât figure out how to update the DNSSEC zone. Can anyone assist me please? I did see one site that said I could just put in regular A record entries and run rndc reload and that would resign the zone. I tried that but it didnât work.

I am using bind-9.14.x and here are the DNSSEC related entries in the zone.

auto-dnssec maintain;
update-policy local;
key-directory âzones/domain-keysâ;

Best Regards,
SI

John W. Blue via bind-users

2021-05-10 02:34:57 UTC

Permalink

Hi Peter ..

How do you know your DNSSEC is working to begin with?

Here is a URL that I prefer to use that will help answer that question:

https://dnsviz.net/

What you are looking for is your to zone to be âsecureâ.

Since you are an experienced BIND admin .. any clues to be found in the logs? grep for âunsignedâ.

One option that appears to be missing from your conf file is:

zone "supercoolzonehere.com" IN {
inline-signing yes;
};

Which would achieve the result that you described below wherein a record is added and ârndc reloadâ is executed.

Good hunting.

John

From: bind-users [mailto:bind-users-***@lists.isc.org] On Behalf Of Peter Fraser
Sent: Sunday, May 09, 2021 8:49 PM
To: bind-***@lists.isc.org
Subject: Update DNSSEC Zone

HI All,
I really would appreciate a pointer in the right direction. I took over a bind server recently. I am not new to bind. I have used it many times and honestly prefer it to windows dns but I have never worked with DNSSEC. I have been reading all day and I still canât figure out how to update the DNSSEC zone. Can anyone assist me please? I did see one site that said I could just put in regular A record entries and run rndc reload and that would resign the zone. I tried that but it didnât work.

I am using bind-9.14.x and here are the DNSSEC related entries in the zone.

auto-dnssec maintain;
update-policy local;
key-directory âzones/domain-keysâ;

Best Regards,
SI

Software Info

2021-05-13 14:41:27 UTC

Permalink

Wow. Thanks so much for all the responses. Really appreciate it. They made me truly realize that a lot on the info on the net may be either incomplete or just old. I understand a bit better now.
I added the line inline-signing yes; as was suggested and reloaded bind. I am now seeing the .signed, .jbk and .jnl files. The zone also replicates to the slaves and I am seeing the NSEC, RRSIG and DNSKEY entries in the zone files on the slaves. I also checked with the yogaDNS client and it had no problems identifying the DNSSEC server. So I would imagine at this point it is working. I believe as was said too I need now to register the DS with the registrar? Hopefully that should be it if I am not missing anything?

Thanks so much again for the very informative replies.

Best Regards,

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Chuck Aurora

2021-05-16 21:05:55 UTC

Permalink

Post by Software Info
Wow. Thanks so much for all the responses. Really appreciate it. They
made me truly realize that a lot on the info on the net may be either
incomplete or just old. I understand a bit better now.
I added the line inline-signing yes;

inline-signing is not required; you already had "update-policy local;"
which gives you a key to use with nsupdate(8)'s -l option. This is
a perfectly valid way to maintain zone data, and in my opinion much
better than editing zone files and inline-signing. You have taken a
step backwards.

This has the overview of both DNSSEC and dynamic zones:

http://ftp.isc.org/isc/bind/cur/9.16/doc/arm/html/advanced.html

See section "5.2. Dynamic Update". Also see the "auto-dnssec
maintain;" option described there. With a dynamic zone and
nsupdate, inline-signing is completely unnecessary.

For those who insist on editing zone files rather than learning how
to use nsupdate, I still recommend "update-policy local;" see Tony
Finch's post where he mentions his nsdiff tool.

Post by Software Info
as was suggested and reloaded
bind. I am now seeing the .signed, .jbk and .jnl files. The zone also
replicates to the slaves and I am seeing the NSEC, RRSIG and DNSKEY
entries in the zone files on the slaves. I also checked with the
yogaDNS client and it had no problems identifying the DNSSEC server.
So I would imagine at this point it is working. I believe as was said
too I need now to register the DS with the registrar? Hopefully that
should be it if I am not missing anything?

Yes, submitting the DS to the registrar is always the last step to
take in signing. It's best to be sure the signing is being done
before you tell the world to accept only signed data from your zone.
We see that a lot, BTW. :)

Post by Software Info
Thanks so much again for the very informative replies.

And a highly opinionated one? :)

I'd also recommend the DNSSEC guide,

https://bind9.readthedocs.io/en/latest/dnssec-guide.html

This is all on one page; or, the same document broken down in
sections can be seen here:

http://dnsinstitute.com/documentation/dnssec-guide/dnssec-guide.html
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Tony Finch

2021-05-10 10:53:07 UTC

Permalink

Post by Peter Fraser
I am using bind-9.14.x and here are the DNSSEC related entries in the zone.
auto-dnssec maintain;
update-policy local;
key-directory âzones/domain-keysâ;

How you go about this depends on whether your configuration enables
`inline-signing` or not.

If it has inline-signing, you should see in the filesystem that each zone
file has .signed (and possibly .jnl) files alongside. You can update the
zone using

(edit the non-.signed zone file)
rndc reload

If it does not have inline-signing I prefer to use `nsupdate` to update
the zones, usually with my `nsdiff` or `nsvi` tools. Or you can,

rndc freeze
(edit the zone file)
rndc thaw

https://dotat.at/prog/nsdiff/

Tony.

--
f.anthony.n.finch <***@dotat.at> https://dotat.at/
Biscay: Southwest 3 to 5 increasing 5 to 7. Rough, occasionally
moderate in east, becoming very rough in west. Thundery showers. Good,
occasionally poor.