DNSSEC maintenance tools

DNSSEC has a reasonable effort for one time setup but even more pain comes in managing the keys, expiry and updating your keys and then adding DS (Delegation Signer) keys with your provider or DLV (DNSSEC Look-aside Validation) to the less ideal DLV. system.



If you do not own a hardware RNG (Random Number Generator) and are creating keys manually, here are some tools to help you maintain ZSK (Zone Signing Key) and KSK (Key Signing Key).

1. DNSSEC expiration checking and alerting bash script
(Recommend that you do this from an independent server than your authoritative DNS server with DNSSEC)

#!/bin/sh if [ -z $1 ]; then echo Usage $0 DomainName fi TODAY=`date +%Y%m%d%H%M00`; for j in `dig $1 RRSIG | egrep -o '2[0-9]{13} 2[0-9]{13}'`; do if [ ! -z $FAZE ]; then     d2=$(date -d "$(( (FAZE / 1000000) ))" +%s)     d1=$(date +%s)     DIFF=$(( (d2 - d1) / 86400 ))     if [ $DIFF -lt 0 ]; then         echo Expired already $j $TODAY $FAZE     elif [ $DIFF -lt 30 ]; then         echo RRSIG expires in less than 30 days please renew     else         logger -p daemon.info "Dates are well for $1. Cert will expire in $DIFF days"     fi unset FAZE else FAZE=$j fi done

2. DNSSEC Key rotation and renewal
(Ah so you got an alert from the earlier script saying your key for domain is about to expire or has expired.)
Here are the assumptions for this script

• You have ZSK (512-bit) and a KSK (1024-bit) keys
• You rotate ZSK every month and KSK every year (don't forget to update your DS - elegation Signer - public key art your domain service provider)
• Your zone files are in /var/named/chroot/var/named/data and your keys are in /var/named/chroot/var/keys (ZSK keys are in ./zsk folder under here)
• Your domain serial number is 10 digit number like 2013011301 

#!/bin/sh if [ -z $1 ]; then  echo "Usage $0 [-monthly|-yearly] DomainName"  exit 1 fi if [ -z $2 ]; then  echo "Usage $0 [-monthly|-yearly] DomainName"  exit 1 fi DOMAIN=$2 #Where you keys are kept and zone files exists KDIR=/var/named/chroot/var/keys/ ZDIR=/var/named/chroot/var/named/data #32 days expiry for each signature using ZSK EXPIRY=`date --date="32 days" +%Y%m%d120001` mkdir -p $KDIR/archive monthly_r() {     serial=`egrep -o -i '[0-9]{10}' $DOMAIN`     ns=$((serial + 1))     mv $DOMAIN $DOMAIN.bak     echo $serial $ns     sed -e "s/$serial/$ns/" $DOMAIN.bak > $DOMAIN #Generate your new ZSK every month     mv $KDIR/zkeys/* $KDIR/archive     nzsk=`/usr/sbin/dnssec-keygen  -r /dev/urandom -a RSASHA1 -b 512 -n ZONE -K $KDIR/zkeys ${DOMAIN}`     /usr/sbin/dnssec-signzone -N INCREMENT -S -K $KDIR -e $EXPIRY ${DOMAIN} $KDIR/zkeys/$nzsk     named-checkzone $DOMAIN $DOMAIN.signed     rndc reload } case "$1" in  (-yearly) # Generate your new KSK every year     mv $KDIR/K$DOMAIN.* $KDIR/archive     /usr/sbin/dnssec-keygen -r /dev/urandom -f KSK -a RSASHA1 -b 1024 -K $KDIR -n ZONE ${DOMAIN}     monthly_r     ;;  (-monthly)         monthly_r     ;;  (*)     echo "Usage $0 [-monthly|-yearly] DomainName"     exit 1     ;; esac

You can set this up as a cron job so you can run this job on a monthly basis as "/var/named/chroot/var/named/dnssec-renew.sh -monthly" and every year run this manually "/var/named/chroot/var/named/dnssec-renew.sh -yearly"

Once you update your yearly KSK, you need to make sure you also update the DS record at your DNS provider.  Don't delete the old DS record, but first publish new DN record (maintaining the old DS records) and wait for about a day (a lot more than your TTL) and afterwards remove the old DS record from your upstream provider.

In this setup, all the old keys are rotated and moved to the "archive" folder.  This is the simplest way for you to automate ZSK updates and renewal.  You can also update the key lengths and add NSEC3 support as appropriate for your needs.

Enjoy DNSSEC