2019-10-16
The signatures for the first DNSSEC signed zone expired, and I signed the rest 7 months ago
Today I was reminded of the first zone I signed with DNSSEC and did the check again with DNSViz. And I saw a lot of error messages. Some searching found that I let all the signatures expire (after the default time of 30 days). Solution: re-sign the zone and have a careful look at when I need to sign the zones again. Officially just in time for expiry time of the signature (default 30 days) minus TTL of the record. Obviously this process has to be automated. In the first go I decided to force new signatures after 21 days. But I tested some things later and decided to go for more regular checks of the ages of the signatures and refresh the signatures that are about to expire. This is usually reserved for 'big' zones with lots of resolvers querying them but I decided to implement this myself to avoid problems, and learn more about DNSSEC. The magic signing command is now:-zone-signedserial: named-checkzone $* $^ ./SOA.pl $^ dnssec-signzone -S -K /etc/bind/keys -g -a -r /dev/random -D -S -e +2592000 -i 604800 -j 86400 -o $* $^ rndc reload $* touch $@The expiry is set with -e at 30 days, the checkinterval with -i at 7 days and the jitter factor with -j at 1 day. Now there is a special part in the Makefile to be called from cron on a regular basis. It won't produce any output when there is nothing to update.agecheck: @for zone in $(SIGNEDZONES); do if [ `find $${zone}-signedserial -mtime +7 -print` ]; then touch $${zone}-zone ; $(MAKE) --no-print-directory $${zone}-signedserial; fi ;doneThe Make variable SIGNEDZONES is filled with the zonenames of the zones that have to be kept DNSSEC signed. File structure for each forward zone is as listed in first zone with valid DNSSEC signatures. So now almost all my domains are DNSSEC signed. A learning experience and a good level of security.