NSD and DNSSEC signature refreshing and ZSK rotation

Jasper_Wallace · February 15, 2018, 1:02am

Hi,

When NSD serves a signed zone will it also re-sign it and rotate ZSK's as
needed? Or do you have to use e.g. OpenDNSSEC to handle it?

PaulWouters · February 15, 2018, 5:07am

You need opendnssec or another tool that handles key management and signing. nsd just serves the dns data

Paul

Michael_A_Peters · February 15, 2018, 12:53pm

NSD only serves the zone file. The entries in the zone file have to be signed and uploaded to your authoritative name server.

Also, even though it is commonly done, you should NOT have your ksk / zsk private keys on your authoritative nameserver.

You should have a signing machine that only has an ssh port open that signs your zone files before sending them to NSD to be served.

If your signing keys are stolen then DNSSEC does not offer much protection, so they should be heavily guarded.

Sebastian_Nielsen · February 15, 2018, 1:13pm

I don't agree. If your KSK/ZSK gets on the wild, its easy to replace them at
the registrar.
I never rotate my ZSK aswell, I just resign them with a future date (with
the same script that renews my Lets Encrypt certificates)

Having a separate signing machine, HSM or similiar security is only required
if you have certain registrar flags that prevents changing of the DNSSEC
keys from the registrar web admin. (these flags are set for high value
domains like paypal.com etc requiring these domains to be updated through
manual means)

-----Ursprungligt meddelande-----

Michael_A_Peters · February 15, 2018, 5:23pm

It takes time to replace the KSK and you have to know it was compromised. ZSK is easy but ZSK should be 1024-bit to keep DNS responses small, which means it should be rotated fairly often. I do once a week (on Sunday) but I believe the recommended is once a month.

Having a separate signing machine is not required, but it is better policy, nameservers have a history being exploitable (especially BIND) and if your signing keys are in the wild, you are vulnerable until they expire. Or rather, users trusting your DNS responses are vulnerable.

This is particularly dangerous if you use DANE to verify TLS certificates for SMTP where certificate authorities are almost never even checked by the connecting SMTP server.

PaulWouters · February 15, 2018, 5:26pm

There is no proof this is needed or required.

And strong reasons to not use 1024 RSA anymore. The root ZSK is now 2048 with no issues reported.

Paul

Michael_A_Peters · February 15, 2018, 6:54pm

Thank you.

I believe the fear was abuse in DDoS amplification attacks.

PaulWouters · February 15, 2018, 7:25pm

That is addressed with DNS-COOKIES and RRL:

https://tools.ietf.org/html/rfc7873

https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html

And of course, one can use ECC based algorithms to reduce the remaining
amplification. DNS software is getting pretty good at reducing this
harm. Good enough to not use 1024 bit RSA anymore.

Paul