Re: Transitioning to new algorithm for DNSSEC

2022-05-05 Thread Mark Andrews 



> On 6 May 2022, at 04:53, frank picabia  wrote:
> 
> 
> 
> On Thu, May 5, 2022 at 3:48 PM Tony Finch  wrote:
> frank picabia  wrote:
> > On Thu, May 5, 2022 at 1:46 PM  wrote:
> > >
> > > Tony wrote a nice article about that:
> > > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
> >
> > Thanks for that.  My problem is these notes have little in common with how
> > the digital ocean guide
> > ran it (
> > https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
> > ),
> 
> That guide is sadly very out of date. You really don't want to use SHA1
> (https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html)
> and for at least 10 years it has been much easier to use `named`s
> automatic signing than to use dnssec-signzone.
> 
> I think if you are still using `dnssec-signzone`, I would recommend
> switching over to automatic signing with your existing keys, before doing
> an algorithm rollover. And set up a test zone so that you can run through
> the process a few times, so that you can learn from your mistakes before
> doing it in production.
> 
> > and I don't think our domain registrar supports CDS records.
> 
> You can ignore the CDS stuff - my registrar didn't support it either, but
> I have tools that can use my CDS records to work out the correct thing to
> tell my registrar to do.
> 
> > I don't understand how people can run little rndc commands as if this
> > sticks without putting an include for the keys in the zone file.
> 
> `named` automatically adds the keys to the zone according to the timing
> information in the key files. (At least, that's the way I did it before
> dnssec-policy made things even more automatic.)

It still does.  dnssec-policy just automates steps that where done manually
previously.

> Agreed that the digital ocean guide is out of date. That's why I'm redoing 
> the steps with
> algorithm 8.  In our case, we have a DNS service to protect from DDOS
> and we need to transfer the whole zone to them periodically or from updates.
> I don't think the Bind built-in signing would work for this situation.

Of course it does.  You can extract the signed zone the same way as secondaries
transfer it.  Whatever you where doing for DDOS protection can still be done
with named signing the zone.  The key files are still there.  The zone content 
is
still there.

> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742  INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Transitioning to new algorithm for DNSSEC

2022-05-05 Thread frank picabia 
On Thu, May 5, 2022 at 3:48 PM Tony Finch  wrote:

> frank picabia  wrote:
> > On Thu, May 5, 2022 at 1:46 PM  wrote:
> > >
> > > Tony wrote a nice article about that:
> > > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
> >
> > Thanks for that.  My problem is these notes have little in common with
> how
> > the digital ocean guide
> > ran it (
> >
> https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
> > ),
>
> That guide is sadly very out of date. You really don't want to use SHA1
> (https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html)
> and for at least 10 years it has been much easier to use `named`s
> automatic signing than to use dnssec-signzone.
>
> I think if you are still using `dnssec-signzone`, I would recommend
> switching over to automatic signing with your existing keys, before doing
> an algorithm rollover. And set up a test zone so that you can run through
> the process a few times, so that you can learn from your mistakes before
> doing it in production.
>
> > and I don't think our domain registrar supports CDS records.
>
> You can ignore the CDS stuff - my registrar didn't support it either, but
> I have tools that can use my CDS records to work out the correct thing to
> tell my registrar to do.
>
> > I don't understand how people can run little rndc commands as if this
> > sticks without putting an include for the keys in the zone file.
>
> `named` automatically adds the keys to the zone according to the timing
> information in the key files. (At least, that's the way I did it before
> dnssec-policy made things even more automatic.)
>
>
Agreed that the digital ocean guide is out of date. That's why I'm redoing
the steps with
algorithm 8.  In our case, we have a DNS service to protect from DDOS
and we need to transfer the whole zone to them periodically or from updates.
I don't think the Bind built-in signing would work for this situation.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Transitioning to new algorithm for DNSSEC

2022-05-05 Thread Tony Finch 
frank picabia  wrote:
> On Thu, May 5, 2022 at 1:46 PM  wrote:
> >
> > Tony wrote a nice article about that:
> > https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
>
> Thanks for that.  My problem is these notes have little in common with how
> the digital ocean guide
> ran it (
> https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
> ),

That guide is sadly very out of date. You really don't want to use SHA1
(https://www.dns.cam.ac.uk/news/2020-01-09-sha-mbles.html)
and for at least 10 years it has been much easier to use `named`s
automatic signing than to use dnssec-signzone.

I think if you are still using `dnssec-signzone`, I would recommend
switching over to automatic signing with your existing keys, before doing
an algorithm rollover. And set up a test zone so that you can run through
the process a few times, so that you can learn from your mistakes before
doing it in production.

> and I don't think our domain registrar supports CDS records.

You can ignore the CDS stuff - my registrar didn't support it either, but
I have tools that can use my CDS records to work out the correct thing to
tell my registrar to do.

> I don't understand how people can run little rndc commands as if this
> sticks without putting an include for the keys in the zone file.

`named` automatically adds the keys to the zone according to the timing
information in the key files. (At least, that's the way I did it before
dnssec-policy made things even more automatic.)

-- 
Tony Finch(he/they)  Cambridge, England
Trafalgar: Northerly or northeasterly 4 or 5, occasionally 3 in far
southeast. Moderate, but slight in far southeast. Fair. Good.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Transitioning to new algorithm for DNSSEC

2022-05-05 Thread frank picabia 
On Thu, May 5, 2022 at 1:46 PM  wrote:

> Hi,
>
> On 5/5/22 6:37 PM, frank picabia  wrote:
> >
> > Hi,
> >
> > I've been running a Bind set up with DNSSEC for many years.
> > It was done following the guide at the digitalocean site.
> >
> > What I don't find in a nice guide, is how to change your algorithm
> > to a more current one, and seamlessly make your domain
> > run under this new chain of data.
> >
> > I tried it on my own estimates of what would be required, and
> > it seemed to be poisoned by dropping mention of the prior
> > keys files in my DNS while the Internet's cached info
> > on our DS is still out there.  Whatever has happened,
> > I've got a running domain again, but there is an angry diagram
> > being drawn at https://dnsviz.net/  when my domain
> > (which
> > will remain nameless) is analyzed.
> >
> > With DNS it is always hard to tell what is going on NOW due
> > to caching, and breakage works this way as well.
> >
> > Is there a guide on transitioning the DNSSEC signing algorithm,
> > or is ISC support the best way to handle this
> > and avoid the risk of total DNS calamity?
>
> Tony wrote a nice article about that:
> https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
>
> Cheers,
>
> --
> Nico
>
>
Thanks for that.  My problem is these notes have little in common with how
the digital ocean guide
ran it (
https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server-2
),
and I don't think our domain registrar supports CDS records.

I don't understand how people can run little rndc commands as if this
sticks without putting
an include for the keys in the zone file.  In our setting, we re-sign the
zone from our host management automation.
There's not enough parallel in the world of that Math department's server
and what we have in our
host management in production.  Normally I'd be flexible to play around
with something
like this if it were apache or something, but I just experienced a domain
outage
that makes me prefer something I can really believe in.
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Transitioning to new algorithm for DNSSEC

2022-05-05 Thread Jan-Piet Mens via bind-users 

Is there a guide on transitioning the DNSSEC signing algorithm,


One of the best concise instructions on doing this was written by Tony Finch
while at Cambridge, and I have used this [1] successfully a few times.

My recommendation: print it out, and use a red pen to tick off the individual
points as you complete them. The most difficult phases are where the document
says 'wait'. Not only should you wait but also wait 'a bit more'. Timing is
of the essence.

Good luck!

-JP

[1] https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Transitioning to new algorithm for DNSSEC

2022-05-05 Thread nicolas 

Hi,

On 5/5/22 6:37 PM, frank picabia  wrote:


Hi,

I've been running a Bind set up with DNSSEC for many years.
It was done following the guide at the digitalocean site.

What I don't find in a nice guide, is how to change your algorithm
to a more current one, and seamlessly make your domain
run under this new chain of data.

I tried it on my own estimates of what would be required, and
it seemed to be poisoned by dropping mention of the prior
keys files in my DNS while the Internet's cached info
on our DS is still out there.  Whatever has happened,
I've got a running domain again, but there is an angry diagram
being drawn at https://dnsviz.net/  when my domain 
(which

will remain nameless) is analyzed.

With DNS it is always hard to tell what is going on NOW due
to caching, and breakage works this way as well.

Is there a guide on transitioning the DNSSEC signing algorithm,
or is ISC support the best way to handle this
and avoid the risk of total DNS calamity?


Tony wrote a nice article about that: 
https://www.dns.cam.ac.uk/news/2020-01-15-rollover.html

Cheers,

--
Nico
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Transitioning to new algorithm for DNSSEC

2022-05-05 Thread Petr Špaček 

On 05. 05. 22 18:37, frank picabia wrote:


Hi,

I've been running a Bind set up with DNSSEC for many years.
It was done following the guide at the digitalocean site.

What I don't find in a nice guide, is how to change your algorithm
to a more current one, and seamlessly make your domain
run under this new chain of data.

I tried it on my own estimates of what would be required, and
it seemed to be poisoned by dropping mention of the prior
keys files in my DNS while the Internet's cached info
on our DS is still out there.  Whatever has happened,
I've got a running domain again, but there is an angry diagram
being drawn at https://dnsviz.net/  when my domain 
(which

will remain nameless) is analyzed.

With DNS it is always hard to tell what is going on NOW due
to caching, and breakage works this way as well.

Is there a guide on transitioning the DNSSEC signing algorithm,
or is ISC support the best way to handle this
and avoid the risk of total DNS calamity?


We could provide specific answers if we knew enough. For "nameless 
domains" the only answer I can reasonably provide is:

https://blog.powerdns.com/2016/01/18/open-source-support-out-in-the-open/

--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Transitioning to new algorithm for DNSSEC

2022-05-05 Thread frank picabia 
Hi,

I've been running a Bind set up with DNSSEC for many years.
It was done following the guide at the digitalocean site.

What I don't find in a nice guide, is how to change your algorithm
to a more current one, and seamlessly make your domain
run under this new chain of data.

I tried it on my own estimates of what would be required, and
it seemed to be poisoned by dropping mention of the prior
keys files in my DNS while the Internet's cached info
on our DS is still out there.  Whatever has happened,
I've got a running domain again, but there is an angry diagram
being drawn at https://dnsviz.net/ when my domain (which
will remain nameless) is analyzed.

With DNS it is always hard to tell what is going on NOW due
to caching, and breakage works this way as well.

Is there a guide on transitioning the DNSSEC signing algorithm,
or is ISC support the best way to handle this
and avoid the risk of total DNS calamity?
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users