rollerd.1p

Langue: en

Autres versions - même langue

Version: 2008-07-23 (ubuntu - 07/07/09)

Section: 1 (Commandes utilisateur)

Sommaire

NAME

rollerd - DNSSEC-Tools daemon to manage DNSSEC key rollover

SYNOPSIS

   rollerd [-options] -rrfile <rollrec_file>

DESCRIPTION

The rollerd daemon manages key rollover for zones. rollerd handles both KSK and ZSK rollover, though only one rollover may take place at a time. Initiation of KSK rollovers takes precedence over the initiation of ZSK rollovers. The Pre-Publish Method of key rollover is used for ZSK key rollovers. The Double Signature Method of key rollover is used for KSK rollovers. rollerd maintains zone rollover state in files called rollrec files. The administrator may control rollerd with the rollctl command. These are described in their own sections below.

ZSK Rollover Using the Pre-Publish Method

The Pre-Publish Method has four phases that are entered when it is time to perform ZSK rollover: 
     1. wait for old zone data to expire from caches
     2. sign the zone with the KSK and Published ZSK
     3. wait for old zone data to expire from caches
     4. adjust keys in keyrec and sign the zone with new Current ZSK

rollerd uses the zonesigner command during ZSK rollover phases 2 and 4. zonesigner will generate keys as required and sign the zone during these two phases.

The Pre-Publish Method of key rollover is defined in the Step-by-Step DNS Security Operator Guidance Document. See that document for more detailed information.

KSK Rollover Using the Double Signature Method

The Double Signature Method has seven phases that are entered when it is time to perform ZSK rollover: 
     1. wait for old zone data to expire from caches
     2. generate a new (published) KSK
     3. wait for the old DNSKEY RRset to expire from caches
     4. roll the KSKs
     5. transfer new keyset to the parent
     6. wait for parent to publish the new DS record
     7. reload the zone

rollerd uses the zonesigner command during KSK rollover phases 2 and 4. zonesigner will generate keys as required and sign the zone during these two phases.

Currently, steps 5 and 6 are handled manually. In step 5, rollerd informs the administrator that the zone's keyset must be transferred to its parent in order for rollover to continue. In step 6, after the parent has published a new DS record, the administrator uses rollctl to inform rollerd that the DS record has been published and rollover may continue.

The Double Signature Method of key rollover is defined in the Step-by-Step DNS Security Operator Guidance Document. See that document for more detailed information.

rollrec Files

The zones to be managed by rollerd are described in a rollrec file. Each zone's entry contains data needed by rollerd and some data useful to a user. Below is a sample rollrec entry: 
         roll "example.com"
                 zonefile        "example.com.signed"
                 keyrec          "example.com.krf"
                 directory       "dir-example.com"
                 kskphase        "0"
                 zskphase        "3"
                 ksk_rollsecs    "1172614842"
                 ksk_rolldate    "Tue Feb 27 22:20:42 2007"
                 zsk_rollsecs    "1172615087"
                 zsk_rolldate    "Tue Feb 27 22:24:47 2007"
                 maxttl          "60"
                 display         "1"
                 phasestart      "Tue Feb 27 22:25:07 2007"

The first line gives the rollrec entry's name. The following lines give the zone's signed zone file, keyrec file, the current rollover phases, the rollover timestamps, and other information.

If either of the zonefile or keyrec files do not exist, then a ``roll'' rollrec will be changed into a ``skip'' rollrec. That record will not be processed.

A more detailed explanation may be found in rollrec(5).

Directories

rollerd's execution directory is either the directory in which it is executed or the directory passed in the -directory command-line option. Any files used by rollerd that were not specified with absolute paths use this directory as their base.

A rollrec file's directory field informs rollerd where the zone's files may be found. For that zone, rollerd will move into that directory, then return to its execution directory when it finishes rollover operations for that zone. If the directory value is a relative path, it will be appended to rollerd's execution directory. If the directory value is an absolute path, it will be used as is.

Controlling rollerd with rollctl

The rollctl command is used to control the behavior of rollerd. A number of commands are available, such as starting or stopping rollover for a selected zone or all zones, turning on or off a GUI rollover display, and halting rollerd execution. The communications path between rollerd and rollctl is operating system-dependent. On Unix-like systems, it is a Unix pipe that should only be writable by root. A more detailed explanation of rollctl may be found in rollctl(8).

A Note About Files and Filenames

There are a number of files and filenames used by rollerd and zonesigner. The user must be aware of the files used by these programs, where the files are located, and where the programs are executed.

By default, rollerd will change directory to the DNSSEC-Tools directory, though this may be changed by the -directory option. Any programs started by rollerd, most importantly zonesigner, will run in this same directory. If files and directories referenced by these programs are named with relative paths, those paths must be relative to this directory.

The rollrec entry name is used as a key to the rollrec file and to the zone's keyrec file. This entry does not have to be the name of the entry's domain, but it is a very good idea to make it so. Whatever is used for this entry name, the same name must be used for the zone keyrec in that zone's keyrec file.

It is probably easiest to store rollrec files, keyrec files, zone files, and key files in a single directory.

INITIALIZATION AND USAGE

The following steps must be taken to initialize and use rollerd. This assumes that zone files have been created, and that BIND and DNSSEC-Tools have been installed.
0. sign zones
The zones to be managed by rollerd must be signed. Use zonesigner to create the signed zone files and the keyrec files needed by rollerd. The rollrec file created in the next step must use the keyrec file names and the signed zone file names created here.
1. create rollrec file
Before rollerd may be used, a rollrec file must first be created. While this file may be built by hand, the rollinit command was written specifically to build the file.
2. select operational parameters
A number of rollerd's operational parameters are taken from the DNSSEC-Tools configuration file. However, these may be overridden by command-line options. See the OPTIONS section below for more details. If non-standard parameters are desired to always be used, the appropriate fields in the DNSSEC-Tools configuration file may be modified to use these values.
3. install the rollover configuration
The complete rollover configuration --- rollerd, rollrec file, DNSSEC-Tools configuration file values, zone files --- should be installed. The appropriate places for these locations are both installation-dependent and operating system-dependent.
4. test the rollover configuration
The complete rollover configuration should be tested.

Edit the zone files so that their zones have short TTL values. A minute TTL should be sufficient. Test rollovers of this speed should only be done in a test environment without the real signed zone.

Run the following command:

     rollerd -rrfile test.rollrec -logfile - -loglevel info -sleep 60

This command assumes the test rollrec file is test.rollrec. It writes a fair amount of log messages to the terminal, and checks its queue every 60 seconds. Follow the messages to ensure that the appropriate actions, as required by the Pre-Publish Method, are taking place.

5. set rollerd to start at boot
Once the configuration is found to work, rollerd should be set to start at system boot. The actual operations required for this step are operating system-dependent.
6. reboot and verify
The system should be rebooted and the rollerd logfile checked to ensure that rollerd is operating properly.

OPTIONS

There are a number of operational parameters that define how rollerd works. These parameters define things such as the rollrec file, the logging level, and the log file. These parameters can be set in the DNSSEC-Tools configuration file or given as options on the rollerd command line. The command line options override values in the configuration file.

The following options are recognized:

-rrfile rollrec_file
Name of the rollrec file to be processed. This is the only required ``option''.
-directory dir
Sets the rollerd execution directory. This must be a valid directory.
-logfile log_file
Sets the rollerd log file to log_file. This must be a valid logging file, meaning that if log_file already exists, it must be a regular file. The only exceptions to this are if logfile is /dev/stdout, /dev/tty, -. Of these three, using a log_file of - is preferable since Perl will properly convert the - to the process' standard output.
-loglevel level
Sets rollerd's logging level to level. rollmgr.pm(3) contains a list of the valid logging levels.
-sleep sleeptime
Sets rollerd's sleep time to sleeptime. The sleep time is the amount of time (in seconds) rollerd waits between processing its rollrec-based queue.
-parameters
Prints a set of rollerd parameters and then exits.
-display
Starts the blinkenlights graphical display program to show the status of zones managed by rollerd.
-Version
Displays the version information for rollerd and the DNSSEC-Tools package.
-help
Display a usage message.
-verbose
Verbose output will be given.

ASSUMPTIONS

rollerd uses the rndc command to communicate with the BIND named daemon. Therefore, it assumes that appropriate measures have been taken so that this communication is possible.

KNOWN PROBLEMS

The following problems (or potential problems) are known:
-
Any process that can write to the rollover socket can send commands to rollerd. This is probably not a Good Thing.
-
Very little testing was done with zone files and key files not in the process' directory.

POSSIBLE ENHANCEMENTS

The following potential enhancements may be made:
-
It'd be good to base rollerd's sleep time on when the next operation must take place, rather than a simple seconds count.
Copyright 2005-2008 SPARTA, Inc. All rights reserved. See the COPYING file included with the DNSSEC-Tools package for details.

AUTHOR

Wayne Morrison, tewok@users.sourceforge.net

SEE ALSO

blinkenlights(8), named(8), rndc(8), rollchk(8), rollctl(8), rollinit(8), zonesigner(8)

Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3), Net::DNS::SEC::Tools::keyrec.pm(3), Net::DNS::SEC::Tools::rolllog.pm(3), Net::DNS::SEC::Tools::rollmgr.pm(3), Net::DNS::SEC::Tools::rollrec.pm(3)

rollrec(5)