[CentOS] DNSSEC Questions

Wed Feb 13 03:26:20 UTC 2019
Paul R. Ganci <ganci at nurdog.com>

Last weekend I had my DNSSEC keys expire. I discovered that they had 
expired the hard way... namely randomly websites could not be found and 
email did not get delivered. It seems that the keys were only valid for 
what I estimate was about 30 days. It is a real PITA to have update the 
keys, restart named and then update Godaddy with new digests.

The first part of the problem is fairly manageable in the sense I 
already have a script that partially can do the job of updating the DNS 
server. However from what I can tell the only way I can update the 
DNSSEC of my 8 domains is via the Godaddy control panel GUI. So a couple 
of questions.

1.) Is anyone aware of anyway to update Godaddy DNSSEC data via a Centos 
7 bash shell? I will contact Godaddy but I suspect I am SOL but thought 
I would ask here thinking somebody else may have already run into this 
issue.

2.) Assuming the answer to DNSSEC is no, can I at least have the keys 
last longer than they do by default. I am presently creating the keys via:

 > dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE zone

 > dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE zone

It is very unclear to me given the dnssec-keygen man page how to set the 
date so that I could get 90 days or even more per key. The descriptions 
I found about constructing rolling keys was even more cryptic to me. For 
example, how do you use these switches:

-A date/offset

    Sets the date on which the key is to be activated. After that date,
    the key will be included in the zone and used to sign it. If not
    set, and
    if the -G option has not been used, the default is "now".

-D date/offset

    Sets the date on which the key is to be deleted. After that date,
    the key will no longer be included in the zone. (It may remain in
    the key
    repository, however.)

-I date/offset

    Sets the date on which the key is to be retired. After that date,
    the key will still be included in the zone, but it will not be used
    to sign
    it.

-P date/offset

    Sets the date on which a key is to be published to the zone. After
    that date, the key will be included in the zone but will not be used
    to sign
    it. If not set, and if the -G option has not been used, the default
    is "now".

-R date/offset

    Sets the date on which the key is to be revoked. After that date,
    the key will be flagged as revoked. It will be included in the zone
    and will
    be used to sign it.

Is it as simple as setting the -I and -R switches to something like +90d

At least if I can get the DNS server to update via a cron job even if 
the 1st item will always have to be done manually that would be help.

Thanks for your help.

-- 

Paul (ganci at nurdog.com)
Cell: (303)257-5208