File: //proc/self/root/usr/share/doc/bind9-doc/arm/chapter5.html
<!DOCTYPE html>
<html class="writer-html5" lang="en" data-content_root="./">
<head>
<meta charset="utf-8" /><meta name="viewport" content="width=device-width, initial-scale=1" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<title>5. DNSSEC — BIND 9 9.18.39-0ubuntu0.24.04.2-Ubuntu documentation</title>
<link rel="stylesheet" type="text/css" href="_static/pygments.css?v=80d5e7a1" />
<link rel="stylesheet" type="text/css" href="_static/css/theme.css?v=86f27845" />
<link rel="stylesheet" type="text/css" href="_static/custom.css?v=9ab34431" />
<script src="_static/jquery.js?v=8dae8fb0"></script>
<script src="_static/_sphinx_javascript_frameworks_compat.js?v=2cd50e6c"></script>
<script src="_static/documentation_options.js?v=9d4ae9d2"></script>
<script src="_static/doctools.js?v=888ff710"></script>
<script src="_static/sphinx_highlight.js?v=dc90522c"></script>
<script src="_static/js/theme.js"></script>
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="6. Advanced Configurations" href="chapter6.html" />
<link rel="prev" title="4. Name Server Operations" href="chapter4.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home">
BIND 9
</a>
<div class="version">
9.18.39-0ubuntu0.24.04.2-Ubuntu
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" aria-label="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div><div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="Navigation menu">
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="chapter1.html">1. Introduction to DNS and BIND 9</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter2.html">2. Resource Requirements</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter3.html">3. Configurations and Zone Files</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter4.html">4. Name Server Operations</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">5. DNSSEC</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#zone-signing">5.1. Zone Signing</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#zone-keys">5.1.1. Zone keys</a></li>
<li class="toctree-l3"><a class="reference internal" href="#fully-automated-key-and-signing-policy">5.1.2. Fully Automated (Key and Signing Policy)</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#key-rollover">5.1.2.1. Key Rollover</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#manual-key-management">5.1.3. Manual Key Management</a><ul>
<li class="toctree-l4"><a class="reference internal" href="#multi-signer-model">5.1.3.1. Multi-Signer Model</a></li>
<li class="toctree-l4"><a class="reference internal" href="#enabling-dnssec-manually">5.1.3.2. Enabling DNSSEC Manually</a></li>
<li class="toctree-l4"><a class="reference internal" href="#publishing-dnskey-records">5.1.3.3. Publishing DNSKEY Records</a></li>
<li class="toctree-l4"><a class="reference internal" href="#nsec3">5.1.3.4. NSEC3</a></li>
<li class="toctree-l4"><a class="reference internal" href="#dnskey-rollovers">5.1.3.5. DNSKEY Rollovers</a></li>
<li class="toctree-l4"><a class="reference internal" href="#going-insecure">5.1.3.6. Going Insecure</a></li>
</ul>
</li>
<li class="toctree-l3"><a class="reference internal" href="#manual-signing">5.1.4. Manual Signing</a></li>
<li class="toctree-l3"><a class="reference internal" href="#monitoring-with-private-type-records">5.1.5. Monitoring with Private Type Records</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#secure-delegation">5.2. Secure Delegation</a></li>
<li class="toctree-l2"><a class="reference internal" href="#dnssec-validation">5.3. DNSSEC Validation</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#validation-failures">5.3.1. Validation Failures</a></li>
<li class="toctree-l3"><a class="reference internal" href="#coexistence-with-unsigned-insecure-zones">5.3.2. Coexistence With Unsigned (Insecure) Zones</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#dynamic-trust-anchor-management">5.4. Dynamic Trust Anchor Management</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#validating-resolver">5.4.1. Validating Resolver</a></li>
<li class="toctree-l3"><a class="reference internal" href="#authoritative-server">5.4.2. Authoritative Server</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#pkcs-11-cryptoki-support">5.5. PKCS#11 (Cryptoki) Support</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#prerequisites">5.5.1. Prerequisites</a></li>
<li class="toctree-l3"><a class="reference internal" href="#building-softhsmv2">5.5.2. Building SoftHSMv2</a></li>
<li class="toctree-l3"><a class="reference internal" href="#openssl-based-pkcs-11">5.5.3. OpenSSL-based PKCS#11</a></li>
<li class="toctree-l3"><a class="reference internal" href="#using-the-hsm">5.5.4. Using the HSM</a></li>
<li class="toctree-l3"><a class="reference internal" href="#key-generation">5.5.5. Key Generation</a></li>
<li class="toctree-l3"><a class="reference internal" href="#specifying-the-engine-on-the-command-line">5.5.6. Specifying the Engine on the Command Line</a></li>
<li class="toctree-l3"><a class="reference internal" href="#running-named-with-automatic-zone-re-signing">5.5.7. Running <code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code> With Automatic Zone Re-signing</a></li>
</ul>
</li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="chapter6.html">6. Advanced Configurations</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter7.html">7. Security Configurations</a></li>
<li class="toctree-l1"><a class="reference internal" href="reference.html">8. Configuration Reference</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter9.html">9. Troubleshooting</a></li>
<li class="toctree-l1"><a class="reference internal" href="chapter10.html">10. Building BIND 9</a></li>
</ul>
<p class="caption" role="heading"><span class="caption-text">Appendices</span></p>
<ul>
<li class="toctree-l1"><a class="reference internal" href="notes.html">Release Notes</a></li>
<li class="toctree-l1"><a class="reference internal" href="changelog.html">Changelog</a></li>
<li class="toctree-l1"><a class="reference internal" href="dnssec-guide.html">DNSSEC Guide</a></li>
<li class="toctree-l1"><a class="reference internal" href="history.html">A Brief History of the DNS and BIND</a></li>
<li class="toctree-l1"><a class="reference internal" href="general.html">General DNS Reference Information</a></li>
<li class="toctree-l1"><a class="reference internal" href="manpages.html">Manual Pages</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap"><nav class="wy-nav-top" aria-label="Mobile navigation menu" >
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">BIND 9</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="Page navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html" class="icon icon-home" aria-label="Home"></a></li>
<li class="breadcrumb-item active"><span class="section-number">5. </span>DNSSEC</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/chapter5.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<section id="dnssec">
<span id="id1"></span><h1><span class="section-number">5. </span>DNSSEC<a class="headerlink" href="#dnssec" title="Link to this heading"></a></h1>
<p>DNS Security Extensions (DNSSEC) provide reliable protection from
<a class="reference external" href="https://en.wikipedia.org/wiki/DNS_cache_poisoning">cache poisoning</a> attacks. At the same time these extensions also provide other benefits:
they limit the impact of <a class="reference external" href="https://www.isc.org/blogs/nsec-caching-should-limit-excessive-queries-to-dns-root/">random subdomain attacks</a> on resolver caches and authoritative
servers, and provide the foundation for modern applications like <a class="reference external" href="https://github.com/internetstandards/toolbox-wiki/blob/main/DANE-for-SMTP-how-to.md">authenticated
and private e-mail transfer</a>.</p>
<p>To achieve this goal, DNSSEC adds <a class="reference external" href="https://en.wikipedia.org/wiki/Digital_signature">digital signatures</a> to DNS records in
authoritative DNS zones, and DNS resolvers verify the validity of the signatures on the
received records. If the signatures match the received data, the resolver can
be sure that the data was not modified in transit.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>DNSSEC and transport-level encryption are complementary!
Unlike typical transport-level encryption like DNS-over-TLS, DNS-over-HTTPS,
or VPN, DNSSEC makes DNS records verifiable at all points of the DNS
resolution chain.</p>
</div>
<p>This section focuses on ways to deploy DNSSEC using BIND. For a more in-depth
discussion of DNSSEC principles (e.g. <a class="reference internal" href="dnssec-guide.html#how-does-dnssec-change-dns-lookup"><span class="std std-ref">How Does DNSSEC Change DNS Lookup?</span></a>)
please see <a class="reference internal" href="dnssec-guide.html"><span class="doc">DNSSEC Guide</span></a>.</p>
<section id="zone-signing">
<span id="dnssec-zone-signing"></span><h2><span class="section-number">5.1. </span>Zone Signing<a class="headerlink" href="#zone-signing" title="Link to this heading"></a></h2>
<p>BIND offers several ways to generate signatures and maintain their validity
during the lifetime of a DNS zone:</p>
<blockquote>
<div><ul class="simple">
<li><p><a class="reference internal" href="#dnssec-kasp"><span class="std std-ref">Fully Automated (Key and Signing Policy)</span></a> - <strong>strongly recommended</strong></p></li>
<li><p><a class="reference internal" href="#dnssec-dynamic-zones"><span class="std std-ref">Manual Key Management</span></a> - only for special needs</p></li>
<li><p><a class="reference internal" href="#dnssec-tools"><span class="std std-ref">Manual Signing</span></a> - discouraged, use only for debugging</p></li>
</ul>
</div></blockquote>
<section id="zone-keys">
<span id="id2"></span><h3><span class="section-number">5.1.1. </span>Zone keys<a class="headerlink" href="#zone-keys" title="Link to this heading"></a></h3>
<p>Regardless of the <a class="reference internal" href="#dnssec-zone-signing"><span class="std std-ref">zone-signing</span></a> method in use, cryptographic keys are
stored in files named like <code class="file docutils literal notranslate"><span class="pre">Kdnssec.example.+013+12345.key</span></code> and
<code class="file docutils literal notranslate"><span class="pre">Kdnssec.example.+013+12345.private</span></code>.
The private key (in the <code class="docutils literal notranslate"><span class="pre">.private</span></code> file) is used to generate signatures, and
the public key (in the <code class="docutils literal notranslate"><span class="pre">.key</span></code> file) is used for signature verification.
Additionally, the <a class="reference internal" href="#dnssec-kasp"><span class="std std-ref">Fully Automated (Key and Signing Policy)</span></a> method creates a third file,
<code class="file docutils literal notranslate"><span class="pre">Kdnssec.example+013+12345.state</span></code>, which is used to track DNSSEC key timings
and to perform key rollovers safely.</p>
<p>These filenames contain:</p>
<blockquote>
<div><ul class="simple">
<li><p>the key name, which always matches the zone name (<code class="docutils literal notranslate"><span class="pre">dnssec.example.</span></code>),</p></li>
<li><p>the <a class="reference external" href="https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml#dns-sec-alg-numbers-1">algorithm number</a> (013 is ECDSAP256SHA256, 008 is RSASHA256, etc.),</p></li>
<li><p>and the key tag, i.e. a non-unique key identifier (12345 in this case).</p></li>
</ul>
</div></blockquote>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Private keys are required for full disaster recovery. Back up key files in a
safe location and protect them from unauthorized access. Anyone with
access to the private key can create fake but seemingly valid DNS data.</p>
</div>
</section>
<section id="fully-automated-key-and-signing-policy">
<span id="dnssec-kasp"></span><h3><span class="section-number">5.1.2. </span>Fully Automated (Key and Signing Policy)<a class="headerlink" href="#fully-automated-key-and-signing-policy" title="Link to this heading"></a></h3>
<p>Key and Signing Policy (KASP) is a method of configuration that describes
how to maintain DNSSEC signing keys and how to sign the zone.</p>
<p>This is the recommended, fully automated way to sign and maintain DNS zones. For
most use cases users can simply use the built-in default policy, which applies
up-to-date DNSSEC practices:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span> zone "dnssec.example" {
type primary;
file "dnssec.example.db";
<span class="hll"> dnssec-policy default;
</span> inline-signing yes;
};
</pre></div>
</div>
<p>The <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> statement requires dynamic DNS to be set up, or
<a class="reference internal" href="reference.html#namedconf-statement-inline-signing" title="namedconf-statement-inline-signing"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">inline-signing</span></code></a> to be enabled. In the example above we use the latter.</p>
<p>This is sufficient to create the necessary signing keys, and generate
<code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code>, <code class="docutils literal notranslate"><span class="pre">RRSIG</span></code>, and <code class="docutils literal notranslate"><span class="pre">NSEC</span></code> records for the zone. BIND also takes
care of any DNSSEC maintenance for this zone, including replacing signatures
that are about to expire and managing <a class="reference internal" href="dnssec-guide.html#key-rollovers"><span class="std std-ref">Key Rollovers</span></a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p><a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> needs write access to the zone. Please see
<a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> for more details about implications for zone storage.</p>
</div>
<p>The default policy creates one key that is used to sign the complete zone,
and uses <code class="docutils literal notranslate"><span class="pre">NSEC</span></code> to enable authenticated denial of existence (a secure way
to tell which records do not exist in a zone). This policy is recommended
and typically does not need to be changed.</p>
<p>If needed, a custom policy can be defined by adding a <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> statement
into the configuration:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span>dnssec-policy "custom" {
dnskey-ttl 600;
keys {
ksk lifetime P1Y algorithm ecdsap384sha384;
zsk lifetime 60d algorithm ecdsap384sha384;
};
nsec3param iterations 0 optout no salt-length 0;
};
</pre></div>
</div>
<p>This <code class="docutils literal notranslate"><span class="pre">custom</span></code> policy, for example:</p>
<blockquote>
<div><ul class="simple">
<li><p>uses a very short <code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code> TTL (600 seconds),</p></li>
<li><p>uses two keys to sign the zone: a Key Signing Key (KSK) to sign the key
related RRsets (<code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code>, <code class="docutils literal notranslate"><span class="pre">CDS</span></code>, and <code class="docutils literal notranslate"><span class="pre">CDNSKEY</span></code>), and a Zone Signing
Key (ZSK) to sign the rest of the zone. The KSK is automatically
rotated after one year and the ZSK after 60 days.</p></li>
</ul>
</div></blockquote>
<dl class="simple">
<dt>Also:</dt><dd><ul class="simple">
<li><p>The configured keys have a lifetime set and use the ECDSAP384SHA384
algorithm.</p></li>
<li><p>The last line instructs BIND to generate NSEC3 records for
<a class="reference internal" href="dnssec-guide.html#advanced-discussions-proof-of-nonexistence"><span class="std std-ref">Proof of Non-Existence</span></a>,
using zero extra iterations and no salt. NSEC3 opt-out is disabled, meaning
insecure delegations also get an NSEC3 record.</p></li>
</ul>
</dd>
</dl>
<p>For more information about KASP configuration see <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a>.</p>
<p>The <a class="reference internal" href="dnssec-guide.html#dnssec-advanced-discussions"><span class="std std-ref">Advanced Discussions</span></a> section in the DNSSEC Guide discusses the
various policy settings and may be useful for determining values for specific
needs.</p>
<section id="key-rollover">
<h4><span class="section-number">5.1.2.1. </span>Key Rollover<a class="headerlink" href="#key-rollover" title="Link to this heading"></a></h4>
<p>When using a <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a>, a key lifetime can be set to trigger
key rollovers. ZSK rollovers are fully automatic, but for KSK and CSK rollovers
a DS record needs to be submitted to the parent. See
<a class="reference internal" href="#secure-delegation"><span class="std std-ref">Secure Delegation</span></a> for possible ways to do so.</p>
<p>Once the DS is in the parent (and the DS of the predecessor key is withdrawn),
BIND needs to be told that this event has happened. This can be done automatically
by configuring parental agents:</p>
<div class="highlight-none notranslate"><div class="highlight"><pre><span></span> zone "dnssec.example" {
type primary;
file "dnssec.example.db";
dnssec-policy default;
<span class="hll"> inline-signing yes;
</span> parental-agents { 192.0.2.1; };
};
</pre></div>
</div>
<p>Here one server, <code class="docutils literal notranslate"><span class="pre">192.0.2.1</span></code>, is configured for BIND to send DS queries to,
to check the DS RRset for <code class="docutils literal notranslate"><span class="pre">dnssec-example</span></code> during key rollovers. This needs
to be a trusted server, because BIND does not validate the response.</p>
<p>If setting up a parental agent is undesirable, it is also possible to tell BIND that the
DS is published in the parent with:
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-dnssec"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">dnssec</span> <span class="pre">-checkds</span> <span class="pre">-key</span> <span class="pre">12345</span> <span class="pre">published</span> <span class="pre">dnssec.example.</span></code></a>.
and the DS for the predecessor key has been removed with:
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-dnssec"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">dnssec</span> <span class="pre">-checkds</span> <span class="pre">-key</span> <span class="pre">54321</span> <span class="pre">withdrawn</span> <span class="pre">dnssec.example.</span></code></a>.
where 12345 and 54321 are the key tags of the successor and predecessor key,
respectively.</p>
<p>To roll a key sooner than scheduled, or to roll a key that
has an unlimited lifetime, use:
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-dnssec"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">dnssec</span> <span class="pre">-rollover</span> <span class="pre">-key</span> <span class="pre">12345</span> <span class="pre">dnssec.example.</span></code></a>.</p>
<p>You can pregenerate keys and save them in the key directory. As long as the
key has no timing metadata set, it may be selected as a successor in the
upcoming key rollover. To pregenerate keys without setting key timing metadata,
use the <cite>-G</cite> option: <code class="docutils literal notranslate"><span class="pre">dnssec-keygen</span> <span class="pre">-G</span> <span class="pre">dnssec.example.</span></code>.</p>
<p>To revert a signed zone back to an insecure zone, change
the zone configuration to use the built-in “insecure” policy. Detailed
instructions are described in <a class="reference internal" href="dnssec-guide.html#revert-to-unsigned"><span class="std std-ref">Reverting to Unsigned</span></a>.</p>
</section>
</section>
<section id="manual-key-management">
<span id="dnssec-dynamic-zones"></span><h3><span class="section-number">5.1.3. </span>Manual Key Management<a class="headerlink" href="#manual-key-management" title="Link to this heading"></a></h3>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>The method described here allows full control over the keys used to sign
the zone. This is required only for very special cases and is generally
discouraged. Under normal circumstances, please use <a class="reference internal" href="#dnssec-kasp"><span class="std std-ref">Fully Automated (Key and Signing Policy)</span></a>.</p>
</div>
<section id="multi-signer-model">
<span id="dnssec-dynamic-zones-multisigner-model"></span><h4><span class="section-number">5.1.3.1. </span>Multi-Signer Model<a class="headerlink" href="#multi-signer-model" title="Link to this heading"></a></h4>
<p>Dynamic zones provide the ability to sign a zone by multiple providers, meaning
each provider signs and serves the same zone independently. Such a setup requires
some coordination between providers when it comes to key rollovers, and may be
better suited to be configured with <code class="docutils literal notranslate"><span class="pre">auto-dnssec</span> <span class="pre">allow;</span></code>. This permits keys to
be updated and the zone to be re-signed only if the user issues the command
<a class="reference internal" href="manpages.html#cmdoption-rndc-arg-sign"><code class="xref std std-option docutils literal notranslate"><span class="pre">rndc</span> <span class="pre">sign</span> <span class="pre">zonename</span></code></a>.</p>
<p>A zone can also be configured with <code class="docutils literal notranslate"><span class="pre">auto-dnssec</span> <span class="pre">maintain</span></code>, which automatically
adjusts the zone’s DNSSEC keys on a schedule according to the key timing
metadata. However, keys still need to be generated separately, for
example with <a class="reference internal" href="manpages.html#std-iscman-dnssec-keygen"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-keygen</span></code></a>.</p>
<p>Of course, dynamic zones can also use <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> to fully automate DNSSEC
maintenance. The next sections assume that more key
management control is needed, and describe how to use dynamic DNS update to perform
various DNSSEC operations.</p>
</section>
<section id="enabling-dnssec-manually">
<span id="dnssec-dynamic-zones-enabling-dnssec"></span><h4><span class="section-number">5.1.3.2. </span>Enabling DNSSEC Manually<a class="headerlink" href="#enabling-dnssec-manually" title="Link to this heading"></a></h4>
<p>As an alternative to fully automated zone signing using <a class="reference internal" href="#dnssec-kasp"><span class="std std-ref">dnssec-policy</span></a>, a zone can be changed from insecure to secure using a dynamic
DNS update. <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> must be configured so that it can see the <code class="docutils literal notranslate"><span class="pre">K*</span></code>
files which contain the public and private parts of the <a class="reference internal" href="#id2">zone keys</a> that are
used to sign the zone. Key files should be placed in the <a class="reference internal" href="reference.html#namedconf-statement-key-directory" title="namedconf-statement-key-directory"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">key-directory</span></code></a>, as
specified in <a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named.conf</span></code></a>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">zone</span> <span class="n">update</span><span class="o">.</span><span class="n">example</span> <span class="p">{</span>
<span class="nb">type</span> <span class="n">primary</span><span class="p">;</span>
<span class="n">update</span><span class="o">-</span><span class="n">policy</span> <span class="n">local</span><span class="p">;</span>
<span class="n">auto</span><span class="o">-</span><span class="n">dnssec</span> <span class="n">allow</span><span class="p">;</span>
<span class="n">file</span> <span class="s2">"dynamic/update.example.db"</span><span class="p">;</span>
<span class="n">key</span><span class="o">-</span><span class="n">directory</span> <span class="s2">"keys/update.example/"</span><span class="p">;</span>
<span class="p">};</span>
</pre></div>
</div>
<p>If there are both a KSK and a ZSK available (or a CSK), this configuration causes the
zone to be signed. An <code class="docutils literal notranslate"><span class="pre">NSEC</span></code> chain is generated as part of the initial signing
process.</p>
<p>In any secure zone which supports dynamic updates, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> periodically
re-signs RRsets which have not been re-signed as a result of some update action.
The signature lifetimes are adjusted to spread the re-sign load over time rather
than all at once.</p>
</section>
<section id="publishing-dnskey-records">
<span id="dnssec-dynamic-zones-publishing-dnskey-records"></span><h4><span class="section-number">5.1.3.3. </span>Publishing DNSKEY Records<a class="headerlink" href="#publishing-dnskey-records" title="Link to this heading"></a></h4>
<p>To insert the keys via dynamic update:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">%</span> <span class="n">nsupdate</span>
<span class="o">></span> <span class="n">ttl</span> <span class="mi">3600</span>
<span class="o">></span> <span class="n">update</span> <span class="n">add</span> <span class="n">update</span><span class="o">.</span><span class="n">example</span> <span class="n">DNSKEY</span> <span class="mi">256</span> <span class="mi">3</span> <span class="mi">7</span> <span class="n">AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y</span> <span class="n">I1m</span><span class="o">/</span><span class="n">SAQBxIqMfLtIwqWPdgthsu36azGQAX8</span><span class="o">=</span>
<span class="o">></span> <span class="n">update</span> <span class="n">add</span> <span class="n">update</span><span class="o">.</span><span class="n">example</span> <span class="n">DNSKEY</span> <span class="mi">257</span> <span class="mi">3</span> <span class="mi">7</span> <span class="n">AwEAAd</span><span class="o">/</span><span class="mi">7</span><span class="n">odU</span><span class="o">/</span><span class="mi">64</span><span class="n">o2LGsifbLtQmtO8dFDtTAZXSX2</span><span class="o">+</span><span class="n">X3e</span><span class="o">/</span><span class="n">UNlq9IHq3Y0</span> <span class="n">XtC0Iuawl</span><span class="o">/</span><span class="n">qkaKVxXe2lo8Ct</span><span class="o">+</span><span class="n">dM6UehyCqk</span><span class="o">=</span>
<span class="o">></span> <span class="n">send</span>
</pre></div>
</div>
<p>In order to sign with these keys, the corresponding key files should also be
placed in the <a class="reference internal" href="reference.html#namedconf-statement-key-directory" title="namedconf-statement-key-directory"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">key-directory</span></code></a>.</p>
</section>
<section id="nsec3">
<span id="dnssec-dynamic-zones-nsec3"></span><h4><span class="section-number">5.1.3.4. </span>NSEC3<a class="headerlink" href="#nsec3" title="Link to this heading"></a></h4>
<p>To sign using <a class="reference internal" href="dnssec-guide.html#advanced-discussions-nsec3"><span class="std std-ref">NSEC3</span></a> instead of <a class="reference internal" href="dnssec-guide.html#advanced-discussions-nsec"><span class="std std-ref">NSEC</span></a>, add an NSEC3PARAM record to the initial update
request. The <a class="reference internal" href="dnssec-guide.html#term-Opt-out"><span class="xref std std-term">OPTOUT</span></a> bit in the NSEC3
chain can be set in the flags field of the
NSEC3PARAM record.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="o">%</span> <span class="n">nsupdate</span>
<span class="o">></span> <span class="n">ttl</span> <span class="mi">3600</span>
<span class="o">></span> <span class="n">update</span> <span class="n">add</span> <span class="n">update</span><span class="o">.</span><span class="n">example</span> <span class="n">DNSKEY</span> <span class="mi">256</span> <span class="mi">3</span> <span class="mi">7</span> <span class="n">AwEAAZn17pUF0KpbPA2c7Gz76Vb18v0teKT3EyAGfBfL8eQ8al35zz3Y</span> <span class="n">I1m</span><span class="o">/</span><span class="n">SAQBxIqMfLtIwqWPdgthsu36azGQAX8</span><span class="o">=</span>
<span class="o">></span> <span class="n">update</span> <span class="n">add</span> <span class="n">update</span><span class="o">.</span><span class="n">example</span> <span class="n">DNSKEY</span> <span class="mi">257</span> <span class="mi">3</span> <span class="mi">7</span> <span class="n">AwEAAd</span><span class="o">/</span><span class="mi">7</span><span class="n">odU</span><span class="o">/</span><span class="mi">64</span><span class="n">o2LGsifbLtQmtO8dFDtTAZXSX2</span><span class="o">+</span><span class="n">X3e</span><span class="o">/</span><span class="n">UNlq9IHq3Y0</span> <span class="n">XtC0Iuawl</span><span class="o">/</span><span class="n">qkaKVxXe2lo8Ct</span><span class="o">+</span><span class="n">dM6UehyCqk</span><span class="o">=</span>
<span class="o">></span> <span class="n">update</span> <span class="n">add</span> <span class="n">update</span><span class="o">.</span><span class="n">example</span> <span class="n">NSEC3PARAM</span> <span class="mi">1</span> <span class="mi">0</span> <span class="mi">0</span> <span class="o">-</span>
<span class="o">></span> <span class="n">send</span>
</pre></div>
</div>
<p>Note that the <code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span></code> record does not show up until <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> has
had a chance to build/remove the relevant chain. A private type record is
created to record the state of the operation (see below for more details), and
is removed once the operation completes.</p>
<p>The <code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> chain is generated and the <code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span></code> record is added before
the <code class="docutils literal notranslate"><span class="pre">NSEC</span></code> chain is destroyed.</p>
<p>While the initial signing and <code class="docutils literal notranslate"><span class="pre">NSEC</span></code>/<code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> chain generation are occurring,
other updates are possible as well.</p>
<p>A new <code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span></code> record can be added via dynamic update. When the new
<code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> chain has been generated, the <code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span></code> flag field is set to
zero. At that point, the old <code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span></code> record can be removed. The old
chain is removed after the update request completes.</p>
<p><a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> only supports creating new <code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> chains where all the
<code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> records in the zone have the same <code class="docutils literal notranslate"><span class="pre">OPTOUT</span></code> state. <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a>
supports updates to zones where the <code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> records in the chain have mixed
<code class="docutils literal notranslate"><span class="pre">OPTOUT</span></code> state. <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> does not support changing the <code class="docutils literal notranslate"><span class="pre">OPTOUT</span></code>
state of an individual <code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> record; if the <code class="docutils literal notranslate"><span class="pre">OPTOUT</span></code> state of an
individual <code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> needs to be changed, the entire chain must be changed.</p>
<p>To switch back to <code class="docutils literal notranslate"><span class="pre">NSEC</span></code>, use <a class="reference internal" href="manpages.html#std-iscman-nsupdate"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nsupdate</span></code></a> to remove any <code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span></code>
records. The <code class="docutils literal notranslate"><span class="pre">NSEC</span></code> chain is generated before the <code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> chain is removed.</p>
</section>
<section id="dnskey-rollovers">
<span id="dnssec-dynamic-zones-dnskey-rollovers"></span><h4><span class="section-number">5.1.3.5. </span>DNSKEY Rollovers<a class="headerlink" href="#dnskey-rollovers" title="Link to this heading"></a></h4>
<p>To perform key rollovers via a dynamic update, the <code class="docutils literal notranslate"><span class="pre">K*</span></code> files for the new keys
must be added so that <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> can find them. The new <code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code> RRs can
then be added via dynamic update. When the zones are being signed, they are
signed with the new key set; when the signing is complete, the private type
records are updated so that the last octet is non-zero.</p>
<p>If this is for a KSK, the parent and any trust anchor repositories of the new
KSK must be informed.</p>
<p>The maximum TTL in the zone must expire before removing the old <code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code>. If
it is a KSK that is being updated, the DS RRset in the parent must also be
updated and its TTL allowed to expire. This ensures that all clients are able to
verify at least one signature when the old <code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code> is removed.</p>
<p>The old <code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code> can be removed via <code class="docutils literal notranslate"><span class="pre">UPDATE</span></code>, taking care to specify the
correct key. <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> cleans out any signatures generated by the old
key after the update completes.</p>
</section>
<section id="going-insecure">
<span id="dnssec-dynamic-zones-going-insecure"></span><h4><span class="section-number">5.1.3.6. </span>Going Insecure<a class="headerlink" href="#going-insecure" title="Link to this heading"></a></h4>
<p>To convert a signed zone to unsigned using dynamic DNS, delete all the
<code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code> records from the zone apex using <a class="reference internal" href="manpages.html#std-iscman-nsupdate"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">nsupdate</span></code></a>. All signatures,
<code class="docutils literal notranslate"><span class="pre">NSEC</span></code> or <code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> chains, and associated <code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span></code> records are removed
automatically when the zone is supposed to be re-signed.</p>
<p>This requires the <a class="reference internal" href="reference.html#namedconf-statement-dnssec-secure-to-insecure" title="namedconf-statement-dnssec-secure-to-insecure"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-secure-to-insecure</span></code></a> option to be set to <code class="docutils literal notranslate"><span class="pre">yes</span></code> in
<a class="reference internal" href="manpages.html#std-iscman-named.conf"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named.conf</span></code></a>.</p>
<p>In addition, if the <code class="docutils literal notranslate"><span class="pre">auto-dnssec</span> <span class="pre">maintain</span></code> or a <a class="reference internal" href="reference.html#namedconf-statement-dnssec-policy" title="namedconf-statement-dnssec-policy"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-policy</span></code></a> is used, it
should be removed or changed to <code class="docutils literal notranslate"><span class="pre">allow</span></code> instead; otherwise it will re-sign.</p>
</section>
</section>
<section id="manual-signing">
<span id="dnssec-tools"></span><h3><span class="section-number">5.1.4. </span>Manual Signing<a class="headerlink" href="#manual-signing" title="Link to this heading"></a></h3>
<p>There are several tools available to manually sign a zone.</p>
<div class="admonition warning">
<p class="admonition-title">Warning</p>
<p>Please note manual procedures are available mainly for backwards
compatibility and should be used only by expert users with specific needs.</p>
</div>
<p>To set up a DNSSEC secure zone manually, a series of steps
must be followed. Please see chapter
<a class="reference internal" href="dnssec-guide.html#advanced-discussions-manual-key-management-and-signing"><span class="std std-ref">Manual Signing</span></a> in the
<a class="reference internal" href="dnssec-guide.html"><span class="doc">DNSSEC Guide</span></a> for more information.</p>
</section>
<section id="monitoring-with-private-type-records">
<h3><span class="section-number">5.1.5. </span>Monitoring with Private Type Records<a class="headerlink" href="#monitoring-with-private-type-records" title="Link to this heading"></a></h3>
<p>The state of the signing process is signaled by private type records (with a
default type value of 65534). When signing is complete, those records with a
non-zero initial octet have a non-zero value for the final octet.</p>
<p>If the first octet of a private type record is non-zero, the record indicates
either that the zone needs to be signed with the key matching the record, or
that all signatures that match the record should be removed. Here are the
meanings of the different values of the first octet:</p>
<blockquote>
<div><ul class="simple">
<li><p>algorithm (octet 1)</p></li>
<li><p>key ID in network order (octet 2 and 3)</p></li>
<li><p>removal flag (octet 4)</p></li>
<li><p>complete flag (octet 5)</p></li>
</ul>
</div></blockquote>
<p>Only records flagged as “complete” can be removed via dynamic update; attempts
to remove other private type records are silently ignored.</p>
<p>If the first octet is zero (this is a reserved algorithm number that should
never appear in a <code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code> record), the record indicates that changes to the
<code class="docutils literal notranslate"><span class="pre">NSEC3</span></code> chains are in progress. The rest of the record contains an
<code class="docutils literal notranslate"><span class="pre">NSEC3PARAM</span></code> record, while the flag field tells what operation to perform
based on the flag bits:</p>
<blockquote>
<div><p>0x01 OPTOUT</p>
<p>0x80 CREATE</p>
<p>0x40 REMOVE</p>
<p>0x20 NONSEC</p>
</div></blockquote>
</section>
</section>
<section id="secure-delegation">
<span id="id3"></span><h2><span class="section-number">5.2. </span>Secure Delegation<a class="headerlink" href="#secure-delegation" title="Link to this heading"></a></h2>
<p>Once a zone is signed on the authoritative servers, the last remaining step
is to establish chain of trust <a class="footnote-reference brackets" href="#validation" id="id4" role="doc-noteref"><span class="fn-bracket">[</span>1<span class="fn-bracket">]</span></a> between the parent zone
(<code class="docutils literal notranslate"><span class="pre">example.</span></code>) and the local zone (<code class="docutils literal notranslate"><span class="pre">dnssec.example.</span></code>).</p>
<p>Generally the procedure is:</p>
<blockquote>
<div><ul class="simple">
<li><p><strong>Wait</strong> for stale data to expire from caches. The amount of time required
is equal to the maximum TTL value used in the zone before signing. This
step ensures that unsigned data expire from caches and resolvers do not get
confused by missing signatures.</p></li>
<li><p>Insert/update DS records in the parent zone (<code class="docutils literal notranslate"><span class="pre">dnssec.example.</span> <span class="pre">DS</span></code> record).</p></li>
</ul>
</div></blockquote>
<p>There are multiple ways to update DS records in the parent zone. Refer to the
documentation for the parent zone to find out which options are applicable to
a given case zone. Generally the options are, from most- to least-recommended:</p>
<blockquote>
<div><ul class="simple">
<li><p>Automatically update the DS record in the parent zone using
<code class="docutils literal notranslate"><span class="pre">CDS</span></code>/<code class="docutils literal notranslate"><span class="pre">CDNSKEY</span></code> records automatically generated by BIND. This requires
support for <span class="target" id="index-0"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc7344.html"><strong>RFC 7344</strong></a> in either parent zone, registry, or registrar. In
that case, configure BIND to <a class="reference internal" href="dnssec-guide.html#cds-cdnskey"><span class="std std-ref">monitor DS records in the parent
zone</span></a> and everything will happen automatically at the right
time.</p></li>
<li><p>Query the zone for automatically generated <code class="docutils literal notranslate"><span class="pre">CDS</span></code> or <code class="docutils literal notranslate"><span class="pre">CDNSKEY</span></code> records using
<a class="reference internal" href="manpages.html#std-iscman-dig"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dig</span></code></a>, and then insert these records into the parent zone using
the method specified by the parent zone (web form, e-mail, API, …).</p></li>
<li><p>Generate DS records manually using the <a class="reference internal" href="manpages.html#std-iscman-dnssec-dsfromkey"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-dsfromkey</span></code></a> utility on
<a class="reference internal" href="#id2">zone keys</a>, and then insert them into the parent zone.</p></li>
</ul>
</div></blockquote>
<aside class="footnote-list brackets">
<aside class="footnote brackets" id="validation" role="doc-footnote">
<span class="label"><span class="fn-bracket">[</span><a role="doc-backlink" href="#id4">1</a><span class="fn-bracket">]</span></span>
<p>For further details on how the chain of trust is used in practice, see
<a class="reference internal" href="dnssec-guide.html#dnssec-12-steps"><span class="std std-ref">The 12-Step DNSSEC Validation Process (Simplified)</span></a> in the <a class="reference internal" href="dnssec-guide.html"><span class="doc">DNSSEC Guide</span></a>.</p>
</aside>
</aside>
</section>
<section id="dnssec-validation">
<h2><span class="section-number">5.3. </span>DNSSEC Validation<a class="headerlink" href="#dnssec-validation" title="Link to this heading"></a></h2>
<p>The BIND resolver validates answers from authoritative servers by default. This
behavior is controlled by the configuration statement <a class="reference internal" href="reference.html#namedconf-statement-dnssec-validation" title="namedconf-statement-dnssec-validation"><code class="xref namedconf namedconf-ref docutils literal notranslate"><span class="pre">dnssec-validation</span></code></a>.</p>
<p>By default a trust anchor for the DNS root zone is used.
This trust anchor is provided as part of BIND and is kept up-to-date using
<a class="reference internal" href="#rfc5011-support"><span class="std std-ref">Dynamic Trust Anchor Management</span></a>.</p>
<div class="admonition note">
<p class="admonition-title">Note</p>
<p>DNSSEC validation works “out of the box” and does not require
additional configuration. Additional configuration options are intended only
for special cases.</p>
</div>
<p>To validate answers, the resolver needs at least one trusted starting point,
a “trust anchor.” Essentially, trust anchors are copies of <code class="docutils literal notranslate"><span class="pre">DNSKEY</span></code> RRs for
zones that are used to form the first link in the cryptographic chain of trust.
Alternative trust anchors can be specified using <a class="reference internal" href="reference.html#namedconf-statement-trust-anchors" title="namedconf-statement-trust-anchors"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">trust-anchors</span></code></a>, but
this setup is very unusual and is recommended only for expert use.
For more information, see <a class="reference internal" href="dnssec-guide.html#trust-anchors-description"><span class="std std-ref">Trust Anchors</span></a> in the
<a class="reference internal" href="dnssec-guide.html"><span class="doc">DNSSEC Guide</span></a>.</p>
<p>The BIND authoritative server does not verify signatures on load, so zone keys
for authoritative zones do not need to be specified in the configuration
file.</p>
<section id="validation-failures">
<h3><span class="section-number">5.3.1. </span>Validation Failures<a class="headerlink" href="#validation-failures" title="Link to this heading"></a></h3>
<p>When DNSSEC validation is configured, the resolver rejects any answers from
signed, secure zones which fail to validate, and returns SERVFAIL to the
client.</p>
<p>Responses may fail to validate for any of several reasons, including
missing, expired, or invalid signatures; a key which does not match the
DS RRset in the parent zone; or an insecure response from a zone which,
according to its parent, should have been secure.</p>
<p>For more information see <a class="reference internal" href="dnssec-guide.html#dnssec-troubleshooting"><span class="std std-ref">Basic DNSSEC Troubleshooting</span></a>.</p>
</section>
<section id="coexistence-with-unsigned-insecure-zones">
<h3><span class="section-number">5.3.2. </span>Coexistence With Unsigned (Insecure) Zones<a class="headerlink" href="#coexistence-with-unsigned-insecure-zones" title="Link to this heading"></a></h3>
<p>Zones not protected by DNSSEC are called “insecure,” and these zones seamlessly
coexist with signed zones.</p>
<p>When the validator receives a response from an unsigned zone that has
a signed parent, it must confirm with the parent that the zone was
intentionally left unsigned. It does this by verifying, via signed
and validated <a class="reference internal" href="dnssec-guide.html#advanced-discussions-proof-of-nonexistence"><span class="std std-ref">NSEC/NSEC3 records</span></a>, that the parent zone contains no
DS records for the child.</p>
<p>If the validator <em>can</em> prove that the zone is insecure, then the
response is accepted. However, if it cannot, the validator must assume an
insecure response to be a forgery; it rejects the response and logs
an error.</p>
<p>The logged error reads “insecurity proof failed” and “got insecure
response; parent indicates it should be secure.”</p>
</section>
</section>
<section id="dynamic-trust-anchor-management">
<span id="rfc5011-support"></span><h2><span class="section-number">5.4. </span>Dynamic Trust Anchor Management<a class="headerlink" href="#dynamic-trust-anchor-management" title="Link to this heading"></a></h2>
<p>BIND is able to maintain DNSSEC trust anchors using <span class="target" id="index-1"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5011.html"><strong>RFC 5011</strong></a> key
management. This feature allows <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to keep track of changes to
critical DNSSEC keys without any need for the operator to make changes
to configuration files.</p>
<section id="validating-resolver">
<h3><span class="section-number">5.4.1. </span>Validating Resolver<a class="headerlink" href="#validating-resolver" title="Link to this heading"></a></h3>
<p>To configure a validating resolver to use <span class="target" id="index-2"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5011.html"><strong>RFC 5011</strong></a> to maintain a trust
anchor, configure the trust anchor using a <a class="reference internal" href="reference.html#namedconf-statement-trust-anchors" title="namedconf-statement-trust-anchors"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">trust-anchors</span></code></a> statement and
the <code class="docutils literal notranslate"><span class="pre">initial-key</span></code> keyword. Information about this can be found in
the <a class="reference internal" href="reference.html#namedconf-statement-trust-anchors" title="namedconf-statement-trust-anchors"><code class="xref any namedconf namedconf-ref docutils literal notranslate"><span class="pre">trust-anchors</span></code></a> statement description.</p>
</section>
<section id="authoritative-server">
<h3><span class="section-number">5.4.2. </span>Authoritative Server<a class="headerlink" href="#authoritative-server" title="Link to this heading"></a></h3>
<p>To set up an authoritative zone for <span class="target" id="index-3"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5011.html"><strong>RFC 5011</strong></a> trust anchor maintenance,
generate two (or more) key signing keys (KSKs) for the zone. Sign the
zone with one of them; this is the “active” KSK. All KSKs which do not
sign the zone are “stand-by” keys.</p>
<p>Any validating resolver which is configured to use the active KSK as an
<span class="target" id="index-4"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5011.html"><strong>RFC 5011</strong></a>-managed trust anchor takes note of the stand-by KSKs in the
zone’s DNSKEY RRset, and stores them for future reference. The resolver
rechecks the zone periodically; after 30 days, if the new key is
still there, the key is accepted by the resolver as a valid
trust anchor for the zone. Anytime after this 30-day acceptance timer
has completed, the active KSK can be revoked, and the zone can be
“rolled over” to the newly accepted key.</p>
<p>The easiest way to place a stand-by key in a zone is to use the “smart
signing” features of <a class="reference internal" href="manpages.html#std-iscman-dnssec-keygen"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-keygen</span></code></a> and <a class="reference internal" href="manpages.html#std-iscman-dnssec-signzone"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-signzone</span></code></a>. If a key
exists with a publication date in the past, but an activation date which is
unset or in the future, <a class="reference internal" href="manpages.html#cmdoption-dnssec-signzone-S"><code class="xref std std-option docutils literal notranslate"><span class="pre">dnssec-signzone</span> <span class="pre">-S</span></code></a> includes the
DNSKEY record in the zone but does not sign with it:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net
$ dnssec-signzone -S -K keys example.net
</pre></div>
</div>
<p>To revoke a key, use the command <a class="reference internal" href="manpages.html#std-iscman-dnssec-revoke"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-revoke</span></code></a>. This
adds the REVOKED bit to the key flags and regenerates the <code class="docutils literal notranslate"><span class="pre">K*.key</span></code>
and <code class="docutils literal notranslate"><span class="pre">K*.private</span></code> files.</p>
<p>After revoking the active key, the zone must be signed with both the
revoked KSK and the new active KSK. Smart signing takes care of this
automatically.</p>
<p>Once a key has been revoked and used to sign the DNSKEY RRset in which
it appears, that key is never again accepted as a valid trust
anchor by the resolver. However, validation can proceed using the new
active key, which was accepted by the resolver when it was a
stand-by key.</p>
<p>See <span class="target" id="index-5"></span><a class="rfc reference external" href="https://datatracker.ietf.org/doc/html/rfc5011.html"><strong>RFC 5011</strong></a> for more details on key rollover scenarios.</p>
<p>When a key has been revoked, its key ID changes, increasing by 128 and
wrapping around at 65535. So, for example, the key
“<code class="docutils literal notranslate"><span class="pre">Kexample.com.+005+10000</span></code>” becomes “<code class="docutils literal notranslate"><span class="pre">Kexample.com.+005+10128</span></code>”.</p>
<p>If two keys have IDs exactly 128 apart and one is revoked, the two
key IDs will collide, causing several problems. To prevent this,
<a class="reference internal" href="manpages.html#std-iscman-dnssec-keygen"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-keygen</span></code></a> does not generate a new key if another key
which may collide is present. This checking only occurs if the new keys are
written to the same directory that holds all other keys in use for that
zone.</p>
<p>Older versions of BIND 9 did not have this protection. Exercise caution
if using key revocation on keys that were generated by previous
releases, or if using keys stored in multiple directories or on multiple
machines.</p>
<p>It is expected that a future release of BIND 9 will address this problem
in a different way, by storing revoked keys with their original
unrevoked key IDs.</p>
</section>
</section>
<section id="pkcs-11-cryptoki-support">
<span id="pkcs11"></span><h2><span class="section-number">5.5. </span>PKCS#11 (Cryptoki) Support<a class="headerlink" href="#pkcs-11-cryptoki-support" title="Link to this heading"></a></h2>
<p>Public Key Cryptography Standard #11 (PKCS#11) defines a
platform-independent API for the control of hardware security modules
(HSMs) and other cryptographic support devices.</p>
<p>PKCS#11 uses a “provider library”: a dynamically loadable
library which provides a low-level PKCS#11 interface to drive the HSM
hardware. The PKCS#11 provider library comes from the HSM vendor, and it
is specific to the HSM to be controlled.</p>
<p>BIND 9 uses engine_pkcs11 for PKCS#11. engine_pkcs11 is an OpenSSL
engine which is part of the <a class="reference external" href="https://github.com/OpenSC/libp11">OpenSC</a> project. The engine is dynamically
loaded into OpenSSL and the HSM is operated indirectly; any
cryptographic operations not supported by the HSM can be carried out by
OpenSSL instead.</p>
<section id="prerequisites">
<h3><span class="section-number">5.5.1. </span>Prerequisites<a class="headerlink" href="#prerequisites" title="Link to this heading"></a></h3>
<p>See the documentation provided by the HSM vendor for information about
installing, initializing, testing, and troubleshooting the HSM.</p>
</section>
<section id="building-softhsmv2">
<h3><span class="section-number">5.5.2. </span>Building SoftHSMv2<a class="headerlink" href="#building-softhsmv2" title="Link to this heading"></a></h3>
<p>SoftHSMv2, the latest development version of SoftHSM, is available from
<a class="reference external" href="https://github.com/softhsm/SoftHSMv2">https://github.com/softhsm/SoftHSMv2</a>. It is a software library
developed by the OpenDNSSEC project (<a class="reference external" href="https://www.opendnssec.org">https://www.opendnssec.org</a>) which
provides a PKCS#11 interface to a virtual HSM, implemented in the form
of an SQLite3 database on the local filesystem. It provides less security
than a true HSM, but it allows users to experiment with native PKCS#11
when an HSM is not available. SoftHSMv2 can be configured to use either
OpenSSL or the Botan library to perform cryptographic functions, but
when using it for native PKCS#11 in BIND, OpenSSL is required.</p>
<p>By default, the SoftHSMv2 configuration file is <code class="docutils literal notranslate"><span class="pre">prefix/etc/softhsm2.conf</span></code>
(where <code class="docutils literal notranslate"><span class="pre">prefix</span></code> is configured at compile time). This location can be
overridden by the SOFTHSM2_CONF environment variable. The SoftHSMv2
cryptographic store must be installed and initialized before using it
with BIND.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ cd SoftHSMv2
$ configure --with-crypto-backend=openssl --prefix=/opt/pkcs11/usr
$ make
$ make install
$ /opt/pkcs11/usr/bin/softhsm-util --init-token 0 --slot 0 --label softhsmv2
</pre></div>
</div>
</section>
<section id="openssl-based-pkcs-11">
<h3><span class="section-number">5.5.3. </span>OpenSSL-based PKCS#11<a class="headerlink" href="#openssl-based-pkcs-11" title="Link to this heading"></a></h3>
<p>OpenSSL-based PKCS#11 uses engine_pkcs11 OpenSSL engine from libp11 project.</p>
<p>engine_pkcs11 tries to fit the PKCS#11 API within the engine API of OpenSSL.
That is, it provides a gateway between PKCS#11 modules and the OpenSSL engine
API. One has to register the engine with OpenSSL and one has to provide the
path to the PKCS#11 module which should be gatewayed to. This can be done by
editing the OpenSSL configuration file, by engine specific controls, or by using
the p11-kit proxy module.</p>
<p>It is recommended, that libp11 >= 0.4.12 is used.</p>
<p>For more detailed howto including the examples, we recommend reading:</p>
<p><a class="reference external" href="https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11">https://gitlab.isc.org/isc-projects/bind9/-/wikis/BIND-9-PKCS11</a></p>
</section>
<section id="using-the-hsm">
<h3><span class="section-number">5.5.4. </span>Using the HSM<a class="headerlink" href="#using-the-hsm" title="Link to this heading"></a></h3>
<p>The canonical documentation for configuring engine_pkcs11 is in the
<a class="reference external" href="https://github.com/OpenSC/libp11/blob/master/README.md#pkcs-11-module-configuration">libp11/README.md</a> file, but a sample working configuration is included
here for the user’s convenience:</p>
<p>We are going to use our own custom copy of OpenSSL configuration, again it’s
driven by an environment variable, this time called OPENSSL_CONF. We are
going to copy the global OpenSSL configuration (often found in
<code class="docutils literal notranslate"><span class="pre">etc/ssl/openssl.conf</span></code>) and customize it to use engines_pkcs11.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">cp</span> <span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">ssl</span><span class="o">/</span><span class="n">openssl</span><span class="o">.</span><span class="n">cnf</span> <span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">bind9</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">openssl</span><span class="o">.</span><span class="n">cnf</span>
</pre></div>
</div>
<p>and export the environment variable:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">export</span> <span class="n">OPENSSL_CONF</span><span class="o">=/</span><span class="n">opt</span><span class="o">/</span><span class="n">bind9</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">openssl</span><span class="o">.</span><span class="n">cnf</span>
</pre></div>
</div>
<p>Now add following line at the top of file, before any sections (in square
brackets) are defined:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl_conf</span> <span class="o">=</span> <span class="n">openssl_init</span>
</pre></div>
</div>
<p>And make sure there are no other ‘openssl_conf = …’ lines in the file.</p>
<p>Add following lines at the bottom of the file:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">[</span><span class="n">openssl_init</span><span class="p">]</span>
<span class="n">engines</span><span class="o">=</span><span class="n">engine_section</span>
<span class="p">[</span><span class="n">engine_section</span><span class="p">]</span>
<span class="n">pkcs11</span> <span class="o">=</span> <span class="n">pkcs11_section</span>
<span class="p">[</span><span class="n">pkcs11_section</span><span class="p">]</span>
<span class="n">engine_id</span> <span class="o">=</span> <span class="n">pkcs11</span>
<span class="n">dynamic_path</span> <span class="o">=</span> <span class="o"><</span><span class="n">PATHTO</span><span class="o">>/</span><span class="n">pkcs11</span><span class="o">.</span><span class="n">so</span>
<span class="n">MODULE_PATH</span> <span class="o">=</span> <span class="o"><</span><span class="n">FULL_PATH_TO_HSM_MODULE</span><span class="o">></span>
<span class="n">init</span> <span class="o">=</span> <span class="mi">0</span>
</pre></div>
</div>
</section>
<section id="key-generation">
<h3><span class="section-number">5.5.5. </span>Key Generation<a class="headerlink" href="#key-generation" title="Link to this heading"></a></h3>
<p>HSM keys can now be created and used. We are assuming that
BIND 9 is already installed, either from a package or from the sources, and the
tools are readily available in the <code class="docutils literal notranslate"><span class="pre">$PATH</span></code>.</p>
<p>For generating the keys, we are going to use <code class="docutils literal notranslate"><span class="pre">pkcs11-tool</span></code> available from the
OpenSC suite. On both DEB-based and RPM-based distributions, the package is
called opensc.</p>
<p>We need to generate at least two RSA keys:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pkcs11</span><span class="o">-</span><span class="n">tool</span> <span class="o">--</span><span class="n">module</span> <span class="o"><</span><span class="n">FULL_PATH_TO_HSM_MODULE</span><span class="o">></span> <span class="o">-</span><span class="n">l</span> <span class="o">-</span><span class="n">k</span> <span class="o">--</span><span class="n">key</span><span class="o">-</span><span class="nb">type</span> <span class="n">rsa</span><span class="p">:</span><span class="mi">2048</span> <span class="o">--</span><span class="n">label</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="o">-</span><span class="n">ksk</span> <span class="o">--</span><span class="n">pin</span> <span class="o"><</span><span class="n">PIN</span><span class="o">></span>
<span class="n">pkcs11</span><span class="o">-</span><span class="n">tool</span> <span class="o">--</span><span class="n">module</span> <span class="o"><</span><span class="n">FULL_PATH_TO_HSM_MODULE</span><span class="o">></span> <span class="o">-</span><span class="n">l</span> <span class="o">-</span><span class="n">k</span> <span class="o">--</span><span class="n">key</span><span class="o">-</span><span class="nb">type</span> <span class="n">rsa</span><span class="p">:</span><span class="mi">2048</span> <span class="o">--</span><span class="n">label</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="o">-</span><span class="n">zsk</span> <span class="o">--</span><span class="n">pin</span> <span class="o"><</span><span class="n">PIN</span><span class="o">></span>
</pre></div>
</div>
<p>Remember that each key should have unique label and we are going to use that
label to reference the private key.</p>
<p>Convert the RSA keys stored in the HSM into a format that BIND 9 understands.
The <a class="reference internal" href="manpages.html#std-iscman-dnssec-keyfromlabel"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">dnssec-keyfromlabel</span></code></a> tool from BIND 9 can link the raw keys stored in the
HSM with the <code class="docutils literal notranslate"><span class="pre">K<zone>+<alg>+<id></span></code> files. The OpenSSL
engine name (<code class="docutils literal notranslate"><span class="pre">pkcs11</span></code>), the algorithm (<code class="docutils literal notranslate"><span class="pre">RSASHA256</span></code>) and the PKCS#11 label
that specify the token (we assume that it has been initialized as <code class="docutils literal notranslate"><span class="pre">bind9</span></code>), the
name of the PKCS#11 object (called “label” when generating the keys using
<code class="docutils literal notranslate"><span class="pre">pkcs11-tool</span></code>), and the HSM PIN must all be provided.</p>
<p>Convert the KSK:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">dnssec</span><span class="o">-</span><span class="n">keyfromlabel</span> <span class="o">-</span><span class="n">E</span> <span class="n">pkcs11</span> <span class="o">-</span><span class="n">a</span> <span class="n">RSASHA256</span> <span class="o">-</span><span class="n">l</span> <span class="s2">"token=bind9;object=example.net-ksk;pin-value=0000"</span> <span class="o">-</span><span class="n">f</span> <span class="n">KSK</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span>
</pre></div>
</div>
<p>and ZSK:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">dnssec</span><span class="o">-</span><span class="n">keyfromlabel</span> <span class="o">-</span><span class="n">E</span> <span class="n">pkcs11</span> <span class="o">-</span><span class="n">a</span> <span class="n">RSASHA256</span> <span class="o">-</span><span class="n">l</span> <span class="s2">"token=bind9;object=example.net-zsk;pin-value=0000"</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span>
</pre></div>
</div>
<p>NOTE: a PIN stored on disk can be used by specifying <code class="docutils literal notranslate"><span class="pre">pin-source=<path_to>/<file></span></code>, e.g:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="p">(</span><span class="n">umask</span> <span class="mi">0700</span> <span class="o">&&</span> <span class="n">echo</span> <span class="o">-</span><span class="n">n</span> <span class="mi">0000</span> <span class="o">></span> <span class="o">/</span><span class="n">opt</span><span class="o">/</span><span class="n">bind9</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">pin</span><span class="o">.</span><span class="n">txt</span><span class="p">)</span>
</pre></div>
</div>
<p>and then use in the label specification:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">pin</span><span class="o">-</span><span class="n">source</span><span class="o">=/</span><span class="n">opt</span><span class="o">/</span><span class="n">bind9</span><span class="o">/</span><span class="n">etc</span><span class="o">/</span><span class="n">pin</span><span class="o">.</span><span class="n">txt</span>
</pre></div>
</div>
<p>Confirm that there is one KSK and one ZSK present in the current directory:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">ls</span> <span class="o">-</span><span class="n">l</span> <span class="n">K</span><span class="o">*</span>
</pre></div>
</div>
<p>The output should look like this (the second number will be different):</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">Kexample</span><span class="o">.</span><span class="n">net</span><span class="o">.+</span><span class="mi">008</span><span class="o">+</span><span class="mf">31729.</span><span class="n">key</span>
<span class="n">Kexample</span><span class="o">.</span><span class="n">net</span><span class="o">.+</span><span class="mi">008</span><span class="o">+</span><span class="mf">31729.</span><span class="n">private</span>
<span class="n">Kexample</span><span class="o">.</span><span class="n">net</span><span class="o">.+</span><span class="mi">008</span><span class="o">+</span><span class="mf">42231.</span><span class="n">key</span>
<span class="n">Kexample</span><span class="o">.</span><span class="n">net</span><span class="o">.+</span><span class="mi">008</span><span class="o">+</span><span class="mf">42231.</span><span class="n">private</span>
</pre></div>
</div>
<p>A note on generating ECDSA keys: there is a bug in libp11 when looking up a key.
That function compares keys only on their ID, not the label, so when looking up
a key it returns the first key, rather than the matching key. To work around
this when creating ECDSA keys, specify a unique ID:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span>ksk=$(echo "example.net-ksk" | openssl sha1 -r | awk '{print $1}')
zsk=$(echo "example.net-zsk" | openssl sha1 -r | awk '{print $1}')
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type EC:prime256v1 --id $ksk --label example.net-ksk --pin <PIN>
pkcs11-tool --module <FULL_PATH_TO_HSM_MODULE> -l -k --key-type EC:prime256v1 --id $zsk --label example.net-zsk --pin <PIN>
</pre></div>
</div>
</section>
<section id="specifying-the-engine-on-the-command-line">
<h3><span class="section-number">5.5.6. </span>Specifying the Engine on the Command Line<a class="headerlink" href="#specifying-the-engine-on-the-command-line" title="Link to this heading"></a></h3>
<p>When using OpenSSL-based PKCS#11, the “engine” to be used by OpenSSL can be
specified in <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> and all of the BIND <code class="docutils literal notranslate"><span class="pre">dnssec-*</span></code> tools by using the <code class="docutils literal notranslate"><span class="pre">-E</span>
<span class="pre"><engine></span></code> command line option. Specifying the engine is generally not necessary
unless a different OpenSSL engine is used.</p>
<p>The zone signing commences as usual, with only one small difference. We need to
provide the name of the OpenSSL engine using the -E command line option.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">dnssec</span><span class="o">-</span><span class="n">signzone</span> <span class="o">-</span><span class="n">E</span> <span class="n">pkcs11</span> <span class="o">-</span><span class="n">S</span> <span class="o">-</span><span class="n">o</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span>
</pre></div>
</div>
</section>
<section id="running-named-with-automatic-zone-re-signing">
<h3><span class="section-number">5.5.7. </span>Running <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> With Automatic Zone Re-signing<a class="headerlink" href="#running-named-with-automatic-zone-re-signing" title="Link to this heading"></a></h3>
<p>The zone can also be signed automatically by named. Again, we need to provide
the name of the OpenSSL engine using the <a class="reference internal" href="manpages.html#cmdoption-named-E"><code class="xref std std-option docutils literal notranslate"><span class="pre">-E</span></code></a> command line option.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">named</span> <span class="o">-</span><span class="n">E</span> <span class="n">pkcs11</span> <span class="o">-</span><span class="n">c</span> <span class="n">named</span><span class="o">.</span><span class="n">conf</span>
</pre></div>
</div>
<p>and the logs should have lines like:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">Fetching</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="o">/</span><span class="n">RSASHA256</span><span class="o">/</span><span class="mi">31729</span> <span class="p">(</span><span class="n">KSK</span><span class="p">)</span> <span class="kn">from</span> <span class="nn">key</span> <span class="n">repository</span><span class="o">.</span>
<span class="n">DNSKEY</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="o">/</span><span class="n">RSASHA256</span><span class="o">/</span><span class="mi">31729</span> <span class="p">(</span><span class="n">KSK</span><span class="p">)</span> <span class="ow">is</span> <span class="n">now</span> <span class="n">published</span>
<span class="n">DNSKEY</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="o">/</span><span class="n">RSA256SHA256</span><span class="o">/</span><span class="mi">31729</span> <span class="p">(</span><span class="n">KSK</span><span class="p">)</span> <span class="ow">is</span> <span class="n">now</span> <span class="n">active</span>
<span class="n">Fetching</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="o">/</span><span class="n">RSASHA256</span><span class="o">/</span><span class="mi">42231</span> <span class="p">(</span><span class="n">ZSK</span><span class="p">)</span> <span class="kn">from</span> <span class="nn">key</span> <span class="n">repository</span><span class="o">.</span>
<span class="n">DNSKEY</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="o">/</span><span class="n">RSASHA256</span><span class="o">/</span><span class="mi">42231</span> <span class="p">(</span><span class="n">ZSK</span><span class="p">)</span> <span class="ow">is</span> <span class="n">now</span> <span class="n">published</span>
<span class="n">DNSKEY</span> <span class="n">example</span><span class="o">.</span><span class="n">net</span><span class="o">/</span><span class="n">RSA256SHA256</span><span class="o">/</span><span class="mi">42231</span> <span class="p">(</span><span class="n">ZSK</span><span class="p">)</span> <span class="ow">is</span> <span class="n">now</span> <span class="n">active</span>
</pre></div>
</div>
<p>For <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> to dynamically re-sign zones using HSM keys,
and/or to sign new records inserted via nsupdate, <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a> must
have access to the HSM PIN. In OpenSSL-based PKCS#11, this is
accomplished by placing the PIN into the <code class="docutils literal notranslate"><span class="pre">openssl.cnf</span></code> file (in the above
examples, <code class="docutils literal notranslate"><span class="pre">/opt/pkcs11/usr/ssl/openssl.cnf</span></code>).</p>
<p>The location of the openssl.cnf file can be overridden by setting the
<code class="docutils literal notranslate"><span class="pre">OPENSSL_CONF</span></code> environment variable before running <a class="reference internal" href="manpages.html#std-iscman-named"><code class="xref std std-iscman docutils literal notranslate"><span class="pre">named</span></code></a>.</p>
<p>Here is a sample <code class="docutils literal notranslate"><span class="pre">openssl.cnf</span></code>:</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="n">openssl_conf</span> <span class="o">=</span> <span class="n">openssl_def</span>
<span class="p">[</span> <span class="n">openssl_def</span> <span class="p">]</span>
<span class="n">engines</span> <span class="o">=</span> <span class="n">engine_section</span>
<span class="p">[</span> <span class="n">engine_section</span> <span class="p">]</span>
<span class="n">pkcs11</span> <span class="o">=</span> <span class="n">pkcs11_section</span>
<span class="p">[</span> <span class="n">pkcs11_section</span> <span class="p">]</span>
<span class="n">PIN</span> <span class="o">=</span> <span class="o"><</span><span class="n">PLACE</span> <span class="n">PIN</span> <span class="n">HERE</span><span class="o">></span>
</pre></div>
</div>
<p>This also allows the <code class="docutils literal notranslate"><span class="pre">dnssec-\*</span></code> tools to access the HSM without PIN
entry. (The <code class="docutils literal notranslate"><span class="pre">pkcs11-\*</span></code> tools access the HSM directly, not via OpenSSL, so
a PIN is still required to use them.)</p>
</section>
</section>
</section>
</div>
</div>
<footer><div class="rst-footer-buttons" role="navigation" aria-label="Footer">
<a href="chapter4.html" class="btn btn-neutral float-left" title="4. Name Server Operations" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left" aria-hidden="true"></span> Previous</a>
<a href="chapter6.html" class="btn btn-neutral float-right" title="6. Advanced Configurations" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right" aria-hidden="true"></span></a>
</div>
<hr/>
<div role="contentinfo">
<p>© Copyright 2025, Internet Systems Consortium.</p>
</div>
Built with <a href="https://www.sphinx-doc.org/">Sphinx</a> using a
<a href="https://github.com/readthedocs/sphinx_rtd_theme">theme</a>
provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script>
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>