lost and found ( for me ? )

[ DNSSEC tools : Rollerd ZSK のロールオーバー Pre-Publish ]

ZSK , KSK を自動で更新するツール。

[ ZSK のロールオーバー Pre-Publish ]

Pre-Publish ロールオーバー は複数の ZSK を使用する。

ZSKをCurrent ZSK , Published ZSK , New ZSK の3種類定義すると:

Current ZSK と Published ZSK でゾーン署名される。
New ZSK は将来( Current ZSK が expire したら ) 使用される。

Current ZSK が expire すると:

- Current ZSK が expire
- Published ZSK が Current ZSK になる
- New ZSK が Published ZSK になる
- 新しい New ZSK が生成される

[ 手順 ]

・dnssec-tools の zonesigner で zone を DNSSEC 対応にする
・rollerd 用のコンフィグを作成
・/etc/dnssec-tools.conf で rndc などコマンドのを設定
・rollerd を起動 
・ZSKが roll over されるか確認

[ ログ]

1. zonesigner で署名済したゾーンを準備

テスト用ゾーン
root@ubuntu-3:/var/cache/bind# cat hello.co.jp
$TTL 60
hello.co.jp.   60     IN SOA  root.hello.co.jp. admin.hello.co.jp. (
                                      2010110501   ; serial
                                      7200       ; refresh (2 hours)
                                      3600       ; retry (1 hour)
                                      604800     ; expire (1 week)
                                      60        ; minimum (10 minutes)
                                      )
                       60     NS      ns.test.co.jp.

ns                      60     IN A    192.168.11.132
www                     60     IN A    192.0.2.2
www2                    60     IN A    192.0.2.3


署名

鍵が早く expire するように設定。

      -endtime
          Time that the zone expires, measured in seconds.  See the man page
          for dnssec-signzone for the valid format of this field.  The
          default value is 2592000 seconds (30 days.)

      -zsklife
          The time between ZSK rollovers.  This is measured in seconds. ( default 7 days )

      -ksklife
          The time between KSK rollovers.  This is measured in seconds. ( default 188 days )
root@ubuntu-3:/var/cache/bind# zonesigner -zsklife 300 -genkeys -zone hello.co.jp hello.co.jp

       if zonesigner appears hung, strike keys until the program completes
       (see the "Entropy" section in the man page for details)

Generating key pair.................++++++ ......++++++
Generating key pair.........++++++ .........................................++++++
Generating key pair.................+++ ...+++
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked

zone signed successfully

hello.co.jp:
       KSK (cur) 36544  -b 2048  11/05/10      (hello.co.jp-signset-3)
       ZSK (cur) 48366  -b 1024  11/05/10      (hello.co.jp-signset-1)
       ZSK (pub) 02385  -b 1024  11/05/10      (hello.co.jp-signset-2)

zone will expire in 4 weeks, 2 days, 0 seconds
DO NOT delete the keys until this time has passed.
root@ubuntu-3:/var/cache/bind#


signature の expiration のチェック。。鍵の expiration ではなく、署名したゾーンの expiration。
今回は、鍵の expiration なのでこのコマンドは関係なかった。。。
root@ubuntu-3:/var/cache/bind# expchk -all -warn 100 hello.co.jp.krf
hello.co.jp valid:  expires in 29 days


krf : keyrec files retain information about previous key-generation and zone-signing operations.

krf ファイルには、 current ZSK , published ZKS などの情報が記載されている。
root@ubuntu-3:/var/cache/bind# cat hello.co.jp.krf
zone    "hello.co.jp"
       serial          "2010110502"
       kskcur          "hello.co.jp-signset-3"
       zskpub          "hello.co.jp-signset-2"
       zskcur          "hello.co.jp-signset-1"
       zskcount        "1"
       signedzone      "hello.co.jp.signed"
       kskcount        "1"
       archivedir      "/var/lib/dnssec-tools/archive"
       kskdirectory    "."
       zskdirectory    "."
       endtime         "+2592000"
       lastset         "hello.co.jp-signset-3"
       zonefile        "hello.co.jp"
       keyrec_type     "zone"
       keyrec_signsecs "1288930156"
       keyrec_signdate "Fri Nov  5 04:09:16 2010"

set     "hello.co.jp-signset-1"
       keys            "Khello.co.jp.+005+48366"
       zonename        "hello.co.jp"
       keyrec_setsecs  "1288930155"
       keyrec_setdate  "Fri Nov  5 04:09:15 2010"

set     "hello.co.jp-signset-2"
       keys            "Khello.co.jp.+005+02385"
       zonename        "hello.co.jp"
       keyrec_setsecs  "1288930155"
       keyrec_setdate  "Fri Nov  5 04:09:15 2010"

key     "Khello.co.jp.+005+48366"
       zonename        "hello.co.jp"
       keyrec_type     "zskcur"
       algorithm       "rsasha1"
       random          "/dev/urandom"
       keypath         "./Khello.co.jp.+005+48366.key"
       zsklength       "1024"
       zsklife         "300"
       keyrec_gensecs  "1288930155"
       keyrec_gendate  "Fri Nov  5 04:09:15 2010"

key     "Khello.co.jp.+005+02385"
       zonename        "hello.co.jp"
       keyrec_type     "zskpub"
       algorithm       "rsasha1"
       random          "/dev/urandom"
       keypath         "./Khello.co.jp.+005+02385.key"
       zsklength       "1024"
       zsklife         "300"
       keyrec_gensecs  "1288930155"
       keyrec_gendate  "Fri Nov  5 04:09:15 2010"

set     "hello.co.jp-signset-3"
       keys            "Khello.co.jp.+005+36544"
       zonename        "hello.co.jp"
       keyrec_setsecs  "1288930155"
       keyrec_setdate  "Fri Nov  5 04:09:15 2010"

key     "Khello.co.jp.+005+36544"
       zonename        "hello.co.jp"
       keyrec_type     "kskcur"
       algorithm       "rsasha1"
       random          "/dev/urandom"
       keypath         "./Khello.co.jp.+005+36544.key"
       ksklength       "2048"
       ksklife         "15552000"
       keyrec_gensecs  "1288930156"
       keyrec_gendate  "Fri Nov  5 04:09:16 2010"


ZSK ,KSK を確認
256 : ZSK 、257 : KSK
root@ubuntu-3:/var/cache/bind# dig @127.1 hello.co.jp dnskey +norec | egrep '(256|257)'
hello.co.jp.            60      IN      DNSKEY  257 3 5 AwEAAdJGJVTnVGbx+eY1HUaqBp9WYazZRsxHIz2p7rg8/BuZ0g7s7HLR XaPWCLdgm4zfnIR0p3B40YX7zzUT/FOftVBhZwGbgX4HD/JoeZyhUZT9 ypKy+gIBMK+5A5xkBnW61ecYJyFIuMxnuc6eNJbAY34rjD49w8eHFv5S ReGpDWYvbIt01+YVB93iN+3fZPnwGAWaiWL6y4wtRF52DZqcLFaGNRcS i1zkBYZmpC6aXg4M6lDWhodgxagXOYVYavP7No5o3tUxUhpISvl2KDZ1 fpcx2DQYBxnEeY17gBLNErhX0csgZGVKnp5g6yJct5qhTNuYXkh8wzST 8KTMED7CBW8=
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAaxg1La0ebSN/cc+YtMUSH9Ibp1+lQgSdm0R4WVrTz0re75nzVMg akrPmIDQh1ZQGAlcitO0T4wSwJE0bJiU1y8z57FT6t4rIPvbFv8eBBpo yXg852wb2QdnsfK3UMjf0yTlzJKR4fgnB55QVGwBZHMlU95EzFYHZe9n iY7V5VLJ
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAdvxmctslj3AUqEZuEzIgEm2i9uJxVSjyJbYASSrXEn4qU4XadFN 2inerKZW/M6C6eK3wcS9S1TL7fXysRVxWyR+mGx82wCFocp41okLiuhq AS1m3JlHMrZbzapT6QgXmbQPEefJz3vMRr+T4pY1t9NWDipYitKb+VaQ lx0vbkch


2. rollrec ファイルを作成
root@ubuntu-3:/var/cache/bind# rollinit hello.co.jp -zonefile /var/cache/bind/hello.co.jp.signed -keyrec /var/cache/bind/hello.co.jp.krf -admin admin@hello.co.jp > hello.co.jp.rollrec

root@ubuntu-3:/var/cache/bind# cat hello.co.jp.rollrec
roll    "hello.co.jp"
       zonefile        "/var/cache/bind/hello.co.jp.signed"
       keyrec          "/var/cache/bind/hello.co.jp.krf"
       administrator   "admin@hello.co.jp"
       kskphase        "0"
       zskphase        "0"
       ksk_rolldate    " "
       ksk_rollsecs    "0"
       zsk_rolldate    " "
       zsk_rollsecs    "0"
       maxttl          "0"
       display         "1"
       phasestart      "new"
       # optional records for RFC5011 rolling:
       istrustanchor           "no"
       holddowntime            "60D"


3. rollerd を起動

パールモジュールが不足していた。。
root@ubuntu-3:~# rollerd -h
Can't locate Mail/Send.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.10.1 /usr/local/share/perl/5.10.1 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.10 /usr/share/perl/5.10 /usr/local/lib/site_perl .) at /usr/share/perl5/Net/DNS/SEC/Tools/dnssectools.pm line 18.
BEGIN failed--compilation aborted at /usr/share/perl5/Net/DNS/SEC/Tools/dnssectools.pm line 18.
Compilation failed in require at /usr/bin/rollerd line 41.
BEGIN failed--compilation aborted at /usr/bin/rollerd line 41.
root@ubuntu-3:~#

root@ubuntu-3:~# perl -MCPAN -e shell
cpan[1]> install MIME::Lite


これで動くはず。。
root@ubuntu-3:/var/cache/bind# rollerd -verbose -loglevel debug -logfile - -rrfi
le hello.co.jp.rollrec -sleep 30 -directory /var/cache/bind
unknown logging level "debug"
valid logging levels (text and numeric forms):
       tmi              1
       expire           3
       info             4
       phase    6
       err              8
       fatal            9
root@ubuntu-3:/var/cache/bind# Nov  5 04:14:08 2010: rollerd starting ----------------------------------------
Nov  5 04:14:08 2010: rollerd parameters:
Nov  5 04:14:08 2010:           rollrec file    "/var/cache/bind/hello.co.jp.rollrec"
Nov  5 04:14:08 2010:           logfile         "-"
Nov  5 04:14:08 2010:           loglevel        "debug"
Nov  5 04:14:08 2010:           sleeptime       "30"
Nov  5 04:14:08 2010:
Nov  5 04:14:08 2010: hello.co.jp: execution directory:  chdir(/var/cache/bind)
Nov  5 04:14:08 2010: hello.co.jp: current KSK still valid
Nov  5 04:14:08 2010: hello.co.jp: current ZSK still valid
Nov  5 04:14:08 2010: : keys checked in 0 seconds
Nov  5 04:14:08 2010: : checking commands
Nov  5 04:14:13 2010: sleeping for 30 seconds


・rollctrl で状態確認
root@ubuntu-3:~# rollctl -status
boot-time:          Fri Nov  5 04:14:08 2010
directory:          /var/cache/bind
rollrec file:       /var/cache/bind/hello.co.jp.rollrec
logfile:            /dev/stdout
loglevel:           -1
sleeptime:          30

root@ubuntu-3:~# rollctl -zonestatus
hello.co.jp     roll    ZSK 0: Not Rolling


ZSKがあと、3分40秒で expire する
Nov  5 04:15:28 2010: hello.co.jp:         expiration in 3 minutes, 40 seconds
Nov  5 04:15:28 2010: hello.co.jp: current ZSK still valid


ZSKが expire した。
Nov  5 04:19:52 2010: hello.co.jp: current ZSK has expired
Nov  5 04:19:52 2010: hello.co.jp: starting ZSK rollover
Nov  5 04:19:52 2010: hello.co.jp: ZSK phase 1 (Waiting for the old zone data to expire from caches)

hello.co.jp     roll    ZSK 1: Waiting for the old zone data to expire from caches


下記の段取りでZSKの roll over が行われる。

- wait 2 * max(TTL in zone)
- run zonesigner using -usezskpub
- wait 2 * max(TTL in zone)
- run zonesigner using -rollzsk
- wait 2 * max(TTL in zone)


・phase 1 : wait 2 * max(TTL in zone)

TTLの最大は 60 秒なので、600*2 = 120秒 待つ
Nov  5 04:21:02 2010: hello.co.jp: current KSK still valid
Nov  5 04:21:02 2010: hello.co.jp: ZSK phase 1 rollover TTL check
Nov  5 04:21:02 2010: hello.co.jp: ZSK phase 1 endtime  Fri Nov  5 04:21:52 2010
Nov  5 04:21:02 2010: hello.co.jp: ZSK phase 1 curtime  Fri Nov  5 04:21:02 2010
Nov  5 04:21:02 2010: hello.co.jp: ZSK phase 1 (Waiting for the old zone data to expire from caches); cache expires in 50 seconds


ZSKはまだ roll over していない。
root@ubuntu-3:~# dig @127.1 hello.co.jp dnskey +norec | egrep '(256|257)'
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAaxg1La0ebSN/cc+YtMUSH9Ibp1+lQgSdm0R4WVrTz0re75nzVMg akrPmIDQh1ZQGAlcitO0T4wSwJE0bJiU1y8z57FT6t4rIPvbFv8eBBpo yXg852wb2QdnsfK3UMjf0yTlzJKR4fgnB55QVGwBZHMlU95EzFYHZe9n iY7V5VLJ
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAdvxmctslj3AUqEZuEzIgEm2i9uJxVSjyJbYASSrXEn4qU4XadFN 2inerKZW/M6C6eK3wcS9S1TL7fXysRVxWyR+mGx82wCFocp41okLiuhq AS1m3JlHMrZbzapT6QgXmbQPEefJz3vMRr+T4pY1t9NWDipYitKb+VaQ lx0vbkch
hello.co.jp.            60      IN      DNSKEY  257 3 5 AwEAAdJGJVTnVGbx+eY1HUaqBp9WYazZRsxHIz2p7rg8/BuZ0g7s7HLR XaPWCLdgm4zfnIR0p3B40YX7zzUT/FOftVBhZwGbgX4HD/JoeZyhUZT9 ypKy+gIBMK+5A5xkBnW61ecYJyFIuMxnuc6eNJbAY34rjD49w8eHFv5S ReGpDWYvbIt01+YVB93iN+3fZPnwGAWaiWL6y4wtRF52DZqcLFaGNRcS i1zkBYZmpC6aXg4M6lDWhodgxagXOYVYavP7No5o3tUxUhpISvl2KDZ1 fpcx2DQYBxnEeY17gBLNErhX0csgZGVKnp5g6yJct5qhTNuYXkh8wzST 8KTMED7CBW8=


・phase 2 ( run zonesigner using -usezskpub )
Nov  5 04:22:17 2010: hello.co.jp: moving to ZSK phase 2 (Signing the zone with the KSK and published ZSK)
Nov  5 04:22:17 2010: hello.co.jp: ZSK phase 2 (Signing the zone with the KSK and published ZSK)
Nov  5 04:22:17 2010: hello.co.jp: executing "/usr/bin/zonesigner -usezskpub hello.co.jp hello.co.jp.signed"
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked


まだ ZSK は roll over されない
root@ubuntu-3:~# dig @127.1 hello.co.jp dnskey +norec | egrep '(256|257)'
hello.co.jp.            60      IN      DNSKEY  257 3 5 AwEAAdJGJVTnVGbx+eY1HUaqBp9WYazZRsxHIz2p7rg8/BuZ0g7s7HLR XaPWCLdgm4zfnIR0p3B40YX7zzUT/FOftVBhZwGbgX4HD/JoeZyhUZT9 ypKy+gIBMK+5A5xkBnW61ecYJyFIuMxnuc6eNJbAY34rjD49w8eHFv5S ReGpDWYvbIt01+YVB93iN+3fZPnwGAWaiWL6y4wtRF52DZqcLFaGNRcS i1zkBYZmpC6aXg4M6lDWhodgxagXOYVYavP7No5o3tUxUhpISvl2KDZ1 fpcx2DQYBxnEeY17gBLNErhX0csgZGVKnp5g6yJct5qhTNuYXkh8wzST 8KTMED7CBW8=
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAaxg1La0ebSN/cc+YtMUSH9Ibp1+lQgSdm0R4WVrTz0re75nzVMg akrPmIDQh1ZQGAlcitO0T4wSwJE0bJiU1y8z57FT6t4rIPvbFv8eBBpo yXg852wb2QdnsfK3UMjf0yTlzJKR4fgnB55QVGwBZHMlU95EzFYHZe9n iY7V5VLJ
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAdvxmctslj3AUqEZuEzIgEm2i9uJxVSjyJbYASSrXEn4qU4XadFN 2inerKZW/M6C6eK3wcS9S1TL7fXysRVxWyR+mGx82wCFocp41okLiuhq AS1m3JlHMrZbzapT6QgXmbQPEefJz3vMRr+T4pY1t9NWDipYitKb+VaQ lx0vbkch


-usezskpub
Use the existing Published ZSKs to sign the zone.

・phase 3 : wait 2 * max(TTL in zone)
Nov  5 04:22:17 2010: hello.co.jp: moving to ZSK phase 3 (Waiting for th             ne data to expire from caches)
Nov  5 04:22:17 2010: hello.co.jp: ZSK phase 3 (Waiting for the old zone              expire from caches)
Nov  5 04:22:17 2010: hello.co.jp: ZSK phase 3 rollover TTL check
Nov  5 04:22:17 2010: hello.co.jp: ZSK phase 3 endtime  Fri Nov  5 04:24
Nov  5 04:22:17 2010: hello.co.jp: ZSK phase 3 curtime  Fri Nov  5 04:22
Nov  5 04:22:17 2010: hello.co.jp: ZSK phase 3 (Waiting for the old zone              expire from caches); cache expires in 2 minutes, 0 seconds


まだ ZSK は roll over されない
root@ubuntu-3:~# dig @127.1 hello.co.jp dnskey +norec | egrep '(256|257)'
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAaxg1La0ebSN/cc+YtMUSH9Ibp1+lQgSdm0R4WVrTz0re75nzVMg akrPmIDQh1ZQGAlcitO0T4wSwJE0bJiU1y8z57FT6t4rIPvbFv8eBBpo yXg852wb2QdnsfK3UMjf0yTlzJKR4fgnB55QVGwBZHMlU95EzFYHZe9n iY7V5VLJ
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAdvxmctslj3AUqEZuEzIgEm2i9uJxVSjyJbYASSrXEn4qU4XadFN 2inerKZW/M6C6eK3wcS9S1TL7fXysRVxWyR+mGx82wCFocp41okLiuhq AS1m3JlHMrZbzapT6QgXmbQPEefJz3vMRr+T4pY1t9NWDipYitKb+VaQ lx0vbkch
hello.co.jp.            60      IN      DNSKEY  257 3 5 AwEAAdJGJVTnVGbx+eY1HUaqBp9WYazZRsxHIz2p7rg8/BuZ0g7s7HLR XaPWCLdgm4zfnIR0p3B40YX7zzUT/FOftVBhZwGbgX4HD/JoeZyhUZT9 ypKy+gIBMK+5A5xkBnW61ecYJyFIuMxnuc6eNJbAY34rjD49w8eHFv5S ReGpDWYvbIt01+YVB93iN+3fZPnwGAWaiWL6y4wtRF52DZqcLFaGNRcS i1zkBYZmpC6aXg4M6lDWhodgxagXOYVYavP7No5o3tUxUhpISvl2KDZ1 fpcx2DQYBxnEeY17gBLNErhX0csgZGVKnp5g6yJct5qhTNuYXkh8wzST 8KTMED7CBW8=


・phase 4
Nov  5 04:35:03 2010: hello.co.jp: ZSK phase 4 (Adjusting keys in the keyrec and signing the zone with new ZSK)
Nov  5 04:35:03 2010: hello.co.jp: executing "/usr/bin/zonesigner -rollzsk hello.co.jp hello.co.jp.signed"
Generating key pair..++++++ ...........................++++++
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked
Nov  5 04:35:03 2010: hello.co.jp: executing "/usr/bin/zonesigner  hello.co.jp hello.co.jp.signed"
Verifying the zone using the following algorithms: RSASHA1.
Zone signing complete:
Algorithm: RSASHA1: KSKs: 1 active, 0 stand-by, 0 revoked
                   ZSKs: 1 active, 1 stand-by, 0 revoked


かわらん。。
root@ubuntu-3:~# dig @127.1 hello.co.jp dnskey +norec | egrep '(256|257)'
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAaxg1La0ebSN/cc+YtMUSH9Ibp1+lQgSdm0R4WVrTz0re75nzVMg akrPmIDQh1ZQGAlcitO0T4wSwJE0bJiU1y8z57FT6t4rIPvbFv8eBBpo yXg852wb2QdnsfK3UMjf0yTlzJKR4fgnB55QVGwBZHMlU95EzFYHZe9n iY7V5VLJ
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAdvxmctslj3AUqEZuEzIgEm2i9uJxVSjyJbYASSrXEn4qU4XadFN 2inerKZW/M6C6eK3wcS9S1TL7fXysRVxWyR+mGx82wCFocp41okLiuhq AS1m3JlHMrZbzapT6QgXmbQPEefJz3vMRr+T4pY1t9NWDipYitKb+VaQ lx0vbkch
hello.co.jp.            60      IN      DNSKEY  257 3 5 AwEAAdJGJVTnVGbx+eY1HUaqBp9WYazZRsxHIz2p7rg8/BuZ0g7s7HLR XaPWCLdgm4zfnIR0p3B40YX7zzUT/FOftVBhZwGbgX4HD/JoeZyhUZT9 ypKy+gIBMK+5A5xkBnW61ecYJyFIuMxnuc6eNJbAY34rjD49w8eHFv5S ReGpDWYvbIt01+YVB93iN+3fZPnwGAWaiWL6y4wtRF52DZqcLFaGNRcS i1zkBYZmpC6aXg4M6lDWhodgxagXOYVYavP7No5o3tUxUhpISvl2KDZ1 fpcx2DQYBxnEeY17gBLNErhX0csgZGVKnp5g6yJct5qhTNuYXkh8wzST 8KTMED7CBW8=


rndc reload を実行。
root@ubuntu-3:~# rndc reload
server reload successful


ZSKがかわった。自動で rndc reload してくれないかな。。。
しばらくほったらかしにしてたので、roll over で ZSKが2つとも入れ替わったちゃった。。
root@ubuntu-3:~# dig @127.1 hello.co.jp dnskey +norec | egrep '(256|257)'
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAbI+/BATbJLjGzCbFJZkKNHE3ZaHcKg7vl06Af3A88ZiH3lYeniy Ot2kO0e9EpQi5PkmfhNA1woi8SJtbmXUZjzvoezPWr15K8c14//Q4jVP iW9d2gkRA4wOozArSFKW/s+VwhP5pUAJCiBbp692mpMMxtABZg1s/M3I xWbHBvb3
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAeHBrkTTH0A0cgrNcrepPM9YDl/v5i5C6gkdWFcUU9jTpMJYFrAo VtsQx4VCOPycFQScvYMlRcvtbM5dfDcGNSAnT/Mj6XJ20RlpX99u6T0A SrffSAObaDcDWToVE7rqXEGTtDTbGITM2cf3AH3JnLOt4grHgWUb4GU0 IJAHruGd
hello.co.jp.            60      IN      DNSKEY  257 3 5 AwEAAdJGJVTnVGbx+eY1HUaqBp9WYazZRsxHIz2p7rg8/BuZ0g7s7HLR XaPWCLdgm4zfnIR0p3B40YX7zzUT/FOftVBhZwGbgX4HD/JoeZyhUZT9 ypKy+gIBMK+5A5xkBnW61ecYJyFIuMxnuc6eNJbAY34rjD49w8eHFv5S ReGpDWYvbIt01+YVB93iN+3fZPnwGAWaiWL6y4wtRF52DZqcLFaGNRcS i1zkBYZmpC6aXg4M6lDWhodgxagXOYVYavP7No5o3tUxUhpISvl2KDZ1 fpcx2DQYBxnEeY17gBLNErhX0csgZGVKnp5g6yJct5qhTNuYXkh8wzST 8KTMED7CBW8=


rollerd のマニュアルみると、rndc してくれるようだけど。。パスの設定がいけないのかな。。

      rollerd uses the rndc command to communicate with the BIND named
      daemon.  Therefore, it assumes that appropriate measures have been
      taken so that this communication is possible.

dnssec-tools.conf にrndc のパスを追加したら、リロードもしてくれるようになった。
詳細は man dnssec-tools.conf でチェック。
root@ubuntu-3:~# egrep rndc /etc/dnssec-tools/dnssec-tools.conf
rndc            /usr/sbin/rndc


rncd reload を実行してくれるようになった。
Nov  5 09:01:15 ubuntu-3 named[848]: received control channel command 'reload'
Nov  5 09:01:15 ubuntu-3 named[848]: reloading configuration succeeded
Nov  5 09:01:15 ubuntu-3 named[848]: reloading zones succeeded
Nov  5 09:03:35 ubuntu-3 named[848]: received control channel command 'reload'
Nov  5 09:03:35 ubuntu-3 named[848]: reloading configuration succeeded
Nov  5 09:03:35 ubuntu-3 named[848]: reloading zones succeeded


・実際、ZSKは1つずつ変わる

赤色の鍵がいれかわった。

phase 3
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAbI+/BATbJLjGzCbFJZkKNHE3ZaHcKg7vl06Af3A88ZiH3lYeniy Ot2kO0e9EpQi5PkmfhNA1woi8SJtbmXUZjzvoezPWr15K8c14//Q4jVP iW9d2gkRA4wOozArSFKW/s+VwhP5pUAJCiBbp692mpMMxtABZg1s/M3I xWbHBvb3
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAeHBrkTTH0A0cgrNcrepPM9YDl/v5i5C6gkdWFcUU9jTpMJYFrAo VtsQx4VCOPycFQScvYMlRcvtbM5dfDcGNSAnT/Mj6XJ20RlpX99u6T0A SrffSAObaDcDWToVE7rqXEGTtDTbGITM2cf3AH3JnLOt4grHgWUb4GU0 IJAHruGd


phase 4 ( ZSK roll over 後 )
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAdRJct4Ef2rqf5N7/Jx76j4jgOiGlS7QUd7zJBSyrFyQIS70pV2I on7CyV1+qY83KGF6QrZrFWZDG15tm5q56tcXhuJ2eEtFT5bLC8sgM2ss sIxz6Hift0tU6U0X83tFuPI4WwTKj58zwqAP3iF7/c+SHKWJRxqEaPf+ SKZbTbuX
hello.co.jp.            60      IN      DNSKEY  256 3 5 AwEAAeHBrkTTH0A0cgrNcrepPM9YDl/v5i5C6gkdWFcUU9jTpMJYFrAo VtsQx4VCOPycFQScvYMlRcvtbM5dfDcGNSAnT/Mj6XJ20RlpX99u6T0A SrffSAObaDcDWToVE7rqXEGTtDTbGITM2cf3AH3JnLOt4grHgWUb4GU0 IJAHruGd


rollerd を デーモンとして起動しておけば、ZSKの roll over を自動で行ってくれる。

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.