Rotate only zone signing keys

Erik Ellsinger

• June 04, 2020 10:14

I've looked at the documentation regarding rotating DNSSEC keys but it seems like it's only possible to rotate the KSK and ZSK and the same time: How to Rotate a DNSSEC Key | cPanel & WHM Documentation Is it not possible to only rotate the ZSK in cPanel?

• 

  cPanelLauren

  • June 04, 2020 20:20

  I don't believe this is possible with the current implementation of DNSSEC we have with PowerDNS through the UI - even the whmapi1 advises the following: [QUOTE=http://docs.cpanel.net/search/?product=all&q=DD/WHM+API+1+Functions+-+add_zone_key?desktop=true&macroName=livesearch] Note:

  • After you enable DNSSEC on the domain, you must add the Delegation of Signing (DS) records to your zone record and your registrar.
  • You cannot modify the DNSSEC security key. To make any changes, you must disable, delete, and re-create the DNSSEC security key.

  
  Though using this you could disable, delete and recreate the ZSK only - it's not a rotation in the sense that it it will automatically generate a new one. You can view all the DNS related whmapi1 functions here:

  0
• 

  Erik Ellsinger

  • June 08, 2020 08:52

  Seems to work, these are the commands I ran: whmapi1 fetch_ds_records_for_domains domain=domain.com whmapi1 deactivate_zone_key domain=domain.com key_id=4 whmapi1 add_zone_key domain=domain.com algo_num=14 key_type=zsk active=1

  0
• 

  Erik Ellsinger

  • June 10, 2020 07:33

  Found one issue with the method, it doesn't automatically push the change to the DNS-cluster. Even if I do a manual sync of the DNS-cluster the change is still not pushed to the cluster. Seems to be a bug?

  0
• 

  cPanelLauren

  • June 15, 2020 22:59

  So there is something of a caveat. There's a script that's supposed to run when these are updated but it doesn't always run immediately. [root@server css]# /scripts/dnssec-cluster-keys --help NAME dnssec-cluster-keys SYNOPSIS dnssec-cluster-keys [--sync|--revoke] [--zone=] [--tag=] {--nolocal} {--rebuild-cache} Options: --sync Action to sync keys to the cluster. --revoke Action to revoke keys from the cluster. --zone Required. The zone to take action on. --tag Required for revoke. Optional for sync. If not defined during a sync, all active keys will be used. Multiple tags can be defined. --nolocal Optional. Do not perform the action on the local server. Useful for testing. --rebuild-cache Rebuild the local cache of domains with DNSSEC enabled. Examples: Sync all currently active DNSSEC keys: ./dnssec-cluster-keys --sync --zone=example.zone Sync only specific DNSSEC keys. If any of the keys are disabled locally, they will be enabled. ./dnssec-cluster-keys --sync --zone=example.zone --tag=46547 --tag=31016 --tag=44233 Revoke specific DNSSEC keys from the cluster. WARNING: This will delete the keys locally also. ./dnssec-cluster-keys --revoke --zone=example.zone --tag=46547 --tag=31016 --tag=44233 Revoke a DNSSEC key from the cluster, but keep the local copy. ./dnssec-cluster-keys --revoke --zone=example.zone --tag=12345 --nolocal DESCRIPTION This script is used to manage DNSSEC keys in a cPanel cluster. You must be using PowerDNS as a nameserver, cPanel DNS clustering must be enabled, and have root privileges. This script provides two actions, sync and revoke. [root@server css]#
  I apologize for not noting this before I wasn't aware this was automated - it should get scheduled in /var/cpanel/taskqueue but if you want immediacy you might try running it manually

  0
• 

  Erik Ellsinger

  • June 16, 2020 17:37

  Doesn't help to sync. The old key is still in the DNS cluster but not on the local server. And I can't run the command with --revoke sinc I don't have the keytag anymore becuase I removed the key from cPanel. Can I find the keytag on the DNSOnly server? The DNSSEC-records doesn't seem to be saved in the /var/named zone-file.

  0
• 

  cPanelLauren

  • June 16, 2020 18:51

  You should be able to get the key tag on the other server by running; pdnsutil show-zone domain.tld
  For example: [root@server ~]# pdnsutil show-zone skeleton.farm Jun 16 13:48:29 [bindbackend] Done parsing domains, 3 rejected, 52 new, 0 removed This is a Master zone Last SOA serial number we notified: 0 != 2020061608 (serial in the database) Metadata items: NSEC3NARROW 1 NSEC3PARAM 1 0 7 860e6937ff707210 Zone has NARROW hashed NSEC3 semantics, configuration: 1 0 7 860e6937ff707210 keys: ID = 4 (ZSK), flags = 256, tag = 36483, algo = 8, bits = 1024, created = 1592333257 Active ( RSASHA256 ) ID = 3 (KSK), flags = 257, tag = 5971, algo = 8, bits = 2048, created = 1592333257 Active ( RSASHA256 ) KSK DNSKEY = skeleton.farm. IN DNSKEY 257 3 8 AwEAAbyZsqDNKugbIJb8zg7lhy5Lpogm4ylTf32cXzlnQNKLiPN8uepoXHaQgo9r5QGEiDcHV0RW8kjeqjwhsQKFLUGijAFWeSRZ3D4NvtLLKjfsmBFHqk0anOcJwd1fQKi8yq1sdr3t+oNvx6S6mTQSIsCOoch0cz/UfP1HB7scw3/qxAI+8eNDBVo7lfxy+RIynZa+Pq/a24cdDH0yRVTtagO9hCV1XDE+Bt3S5/X9AHO2Xjsvlrp1Scs4njZW0g0n3aTmmQYSH5aex3XJo+DRljxWb1WI4IFFLJq0DvFytMI3xbBUk5BuZQ3+Cp0yddYDd03ru+ZLK1mMxeX4kFjChus= ; ( RSASHA256 ) DS = skeleton.farm. IN DS 5971 8 1 15d393b583843600cc8b066f5869e382062f030b ; ( SHA1 digest ) DS = skeleton.farm. IN DS 5971 8 2 78dcfd0751d9a6831b996bb9d9e9fd00d73ab3fe70c7b8aa23771af9ecf00392 ; ( SHA256 digest ) DS = skeleton.farm. IN DS 5971 8 4 632375477c7950c1e9cbba20a9fde9825ac57af0ca846969c08aaaace8575729e9ee917320c91f943c64d4531b6e729a ; ( SHA-384 digest ) [root@server ~]#
  

  0

Please sign in to leave a comment.