Template:Rollerd ShortTorial

From DNSSEC-Tools
Jump to: navigation, search

Rollerd

{{#if:1| {{#if:| {{#if:1| {{#if:| {{#if:| {{#if:|
DNSSEC-Tools Component
rollerd
This describes rollerd, which in the Authoritative Server Tools category within the DNSSEC-Tools Components framework of tools.
Tool Name: rollerd
Tool Type: Authoritative Server Tools
Manual: Manual

}}

Example: Example

}}

CLI: Help

}}

Tutorial: Tutorial

}}

How To: How To

}}

Download: rollerd

}}

Rollerd automates key rollovers. That is, it automates the steps necessary to change over from one Zone Signing Key (ZSK) to the next using the Pre-Publish Method of key rollover. It can also automate the less frequent Key Signing Key (KSK) change over using the [[Double Signature Method]] of key rollover. See RFC 4641 for a descriptions of these key rollover methods.

Getting started with rollerd

  • Given the existing signed zone file, zonefile.signed, with associated keys and a zonesigner key-rec file, example.com.krf.
  • Create a rollrec file using rollinit (a companion tool to rollerd)

> rollinit example.com -zone /var/named/zonefile.signed -keyrec /var/named/example.com.krf -admin admin@example.com >! example.com.rollrec

>

This should create a file example.com.rollrec:

roll    "example.com"
        zonefile        "/var/named/zonefile.signed"
        keyrec          "/var/named/example.com.krf"
        administrator   "admin@example.com"
        kskphase        "0"
        zskphase        "0"
        ksk_rolldate    " "
        ksk_rollsecs    "0"
        zsk_rolldate    " "
        zsk_rollsecs    "0"
        maxttl          "0"
        display         "1"
        phasestart      "new"
  • Given the above rollerd configuration file for zone example.com, /etc/named/example.com.rollrec.
  • start rollerd, logging to standard out.

>/usr/local/bin/rollerd -verbose -verbose -verbose -loglevel info -logfile - -rrfile /etc/named/example.com.rrf -sleep 60 -directory /var/named/
Jan 21 23:04:47 2008: rollerd starting ----------------------------------------
Jan 21 23:04:47 2008: rollerd parameters:
Jan 21 23:04:47 2008: rollrec file "/etc/named/example.com.rrf"
Jan 21 23:04:47 2008: logfile "-"
Jan 21 23:04:47 2008: loglevel "info"
Jan 21 23:04:47 2008: sleeptime "60"
Jan 21 23:04:47 2008:
Jan 21 23:04:47 2008: example.com: KSK expiration in 24 weeks, 3 days, 13 hours, 3 minutes, 25 seconds
Jan 21 23:04:47 2008: example.com: ZSK expired 1985 weeks, 4 days, 23 hours, 4 minutes, 47 seconds ago
Jan 21 23:04:47 2008: example.com: current ZSK has expired
Jan 21 23:04:47 2008: example.com: ZSK phase 1
Jan 21 23:05:52 2008: example.com: ZSK phase 1; cache expires in 55 seconds
Jan 21 23:06:57 2008: example.com: ZSK phase 2
Jan 21 23:06:57 2008: example.com: executing "zonesigner -usezskpub example.com db.example.com.signed"
Jan 21 23:06:58 2008: example.com: ZSK phase 3
Jan 21 23:06:58 2008: example.com: ZSK phase 3; cache expires in 2 minutes, 0 seconds
Jan 21 23:08:03 2008: example.com: ZSK phase 3; cache expires in 55 seconds
Jan 21 23:09:08 2008: example.com: ZSK phase 4
Jan 21 23:09:08 2008: example.com: executing "zonesigner -rollzsk example.com db.example.com.signed"
Jan 21 23:09:09 2008: example.com: executing "zonesigner example.com db.example.com.signed"
Jan 21 23:09:09 2008: example.com: ZSK phase 0
Jan 21 23:09:09 2008: example.com: ZSK expiration in 1 week, 0 seconds
Jan 21 23:10:14 2008: example.com: KSK expiration in 24 weeks, 3 days, 12 hours, 57 minutes, 58 seconds
Jan 21 23:10:14 2008: example.com: ZSK expiration in 6 days, 23 hours, 58 minutes, 55 seconds
Jan 21 23:11:19 2008: example.com: KSK expiration in 24 weeks, 3 days, 12 hours, 56 minutes, 53 seconds
Jan 21 23:11:19 2008: example.com: ZSK expiration in 6 days, 23 hours, 57 minutes, 50 seconds

Rollerd has just successfully rolled the ZSK. With the above setup, it took about seven minutes. In general, though, rollerd wouldn't be run like it was above. It is meant to be run in daemon mode as a system service automatically updated the ZSK and KSK's as the configured timing indicates. But rollerd can be controlled while it is running by using rollctl. Also see the Rollctrl Tutorial for further details on other tasks that rollctl can accomplish.