How to Sign Multiple Zones

Author: DM47
2/2/2009 3:55:12 PM

You now have signed one zone file and may be looking
for ways to manage the many zones that you currently manage.

You would like to protect the private keys, keep the dssets up to
date, and resign the zones with as much automation as possible.
There are products you can purchase to perform these tasks.
However, may want to try this manual process until you
understand what may need be automated for your organization.

Step #1: Download the tools

We recommend signing the zones offline on a computer that
has the ability to burn a CDR or write to a USB memory stick to
backup and preserve the zones and keys.

Download the latest BIND keygen and zone signing tools for
Windows here:


    http://www.dnssecreport.com/winbin.zip


Open and unzip these tools into /Windows/System32

Step #2: Create Zone folders

Lets say you have 6 zones that you wish to sign and maintain.
We recommend you create a folder to store all your zones, keys, and
scripts for fictitious zones named, vanity.org, vanity.net, vanity.com,
and vanity2 in the same TLDs:


   ./MyZoneFolder
       vanity-org
       vanity-net
       vanity-com
       vanity2-org
       vanity2-net
       vanity2-com


Each of the remaining steps will need to be repeated for every zone in your
folder.

Step #3: Copy zone files from Master DNS

Copy the vanity zone files from the Master DNS. You may wish to use
encrypted zip files, email and/or scp to move files between the Master
and the signing computer. After the copy is complete, disconnect this
signing computer from the network.

Step #4: Create KSK and ZSK keys

Use the downloaded tools in Step #1 to generate the keys in a 'cmd'
window:

NSEC3 (more secure)

   dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 2048 -n ZONE vanity.org
   dnssec-keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE vanity.org
   dnssec-keygen -a NSEC3RSASHA1 -b 2048 -e -n ZONE vanity.org


Alternate signing: NSEC (allows zone enumeration)

   dnssec-keygen -f KSK -a RSASHA1 -b 2048 -n ZONE vanity.org
   dnssec-keygen -a RSASHA1 -b 2048 -e -n ZONE vanity.org
   dnssec-keygen -a RSASHA1 -b 2048 -e -n ZONE vanity.org


Notice: These commands may take up to 1 hour each. You may
want to script these jobs in a bat file for all your zones and allow to run
overnight.

Step #5: Update zone files

Before you sign the zones, the keys will need to be incorporated
into the zone files.

Use the following procudure:

    http://www.dnssecreport.com/DNSSECReport/Content.aspx?SID=4

Repeat for every zone in your zone folder

Step #6: Sign the zones

Use either the NSEC or NSEC3 signzone procedure to sign each zone.
Below is a sample script to be used to compare dssets and determine
the need to upload to parent zone administrator after the signing.
We recommending this script be created in each zone folder and
tailored to the domain name.

NSEC3 (more secure)

   cp last-dsset.txt old-dsset.txt
   mv dsset-vanity.org. last-dsset.txt
   dnssec-signzone -a -H 10 -3 aaaa \
      -k Kvanity.org.+007+56487 \      
      -o vanity.org vanity.org Kvanity.org.+007+62648  
   diff dsset-vanity.org. last-dsset.txt


Alternate signing, NSEC (allows zone enumeration)

   cp last-dsset.txt old-dsset.txt
   mv dsset-vanity.org. last-dsset.txt
   dnssec-signzone -a \
      -k Kvanity.org.+005+56487 \      
      -o vanity.org vanity.org Kvanity.org.+005+62648  
   diff dsset-vanity.org. last-dsset.txt


Check the diff results of the dsset files. If they have changed
or if this is the first signing, follow the published procedures
to upload the dssets and keysets to the parent zone
administrator(s).

Continue on to Step #7, here:

  http://www.dnssecreport.com/DNSSECReport/Content.aspx?SID=6

comment on this