From 29030fa5d744b6a1a9cf25c81f45fbb8daab200a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Thu, 9 Jun 2022 09:04:24 +0200 Subject: [PATCH] Add hints about secure delegation to DNSSEC chapter of the ARM Let's not duplicate texts from elsewhere, just point to different parts of documentation. --- doc/arm/dnssec.inc.rst | 39 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index a7110b302e..e2ca6ed0dd 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -77,6 +77,7 @@ These filenames contain: safe location and protect them from unauthorized access. Anyone with access to the private key can create fake but seemingly valid DNS data. + .. _dnssec_kasp: Fully Automated (Key and Signing Policy) @@ -428,6 +429,44 @@ to provide the parent zone administrators with the ``DNSKEYs`` (or their corresponding ``DS`` records) that are the secure entry point to the zone. +.. _secure_delegation: + +Secure Delegation +~~~~~~~~~~~~~~~~~ + +Once a zone is signed on the authoritative servers, the last remaining step +is to establish chain of trust [#validation]_ between the parent zone +(``example.``) and the local zone (``dnssec.example.``). + +Generally the procedure is: + + - **Wait** for stale data to expire from caches. The amount of time required + is equal to the maximum TTL value used in the zone before signing. This + step ensures that unsigned data expire from caches and resolvers do not get + confused by missing signatures. + - Insert/update DS records in the parent zone (``dnssec.example. DS`` record). + +There are multiple ways to update DS records in the parent zone. Refer to the +documentation for the parent zone to find out which options are applicable to +a given case zone. Generally the options are, from most- to least-recommended: + + - Automatically update the DS record in the parent zone using + ``CDS``/``CDNSKEY`` records automatically generated by BIND. This requires + support for :rfc:`7344` in either parent zone, registry, or registrar. In + that case, configure BIND to :ref:`monitor DS records in the parent + zone ` and everything will happen automatically at the right + time. + - Query the zone for automatically generated ``CDS`` or ``CDNSKEY`` records using + :iscman:`dig`, and then insert these records into the parent zone using + the method specified by the parent zone (web form, e-mail, API, ...). + - Generate DS records manually using the :iscman:`dnssec-dsfromkey` utility on + `zone keys`_, and then insert them into the parent zone. + +.. [#validation] For further details on how the chain of trust is used in practice, see + :ref:`dnssec_12_steps` in the :doc:`dnssec-guide`. + + + DNSSEC Validation ~~~~~~~~~~~~~~~~~