[Opendnssec-develop] KSK rollover

Antoin Verschuren Antoin.Verschuren at sidn.nl
Tue Dec 8 14:59:48 UTC 2009


The method of double signatures is one that cannot be used when you transfer a zone between DNS operators, because either operator does not have one of the private keys to sign with.
So the preferred way to facilitate this is pre-publish and multiple DS records at the parent. (or am I missing something).
So since the parent should already be facilitating this method of rollover for transfers, why would they create a different process for a rollover where  there is no transfer involved ?
Same could be true for the child. If you make pre-publish your default rollover method, you don't need to invent (and for opendnssec to implement) a different BCP for transfers.

So for transfers:
In new zone:
-Enter old and new public KSK
-Sign keyset with new KSK
In old zone:
-Add new public KSK in zone next to old KSK
-Sign keyset with old KSK
At parent:
-Add DS for new KSK
-wait for propagation
-Change NS set
-wait for propagation
-Delete old DS

Only difference for a regular rollover is that you don't have to change and wait for propagation of the new NS set, but the process would stay the same.
Only advantage I see in adding a different rollover method for regular transfers without NS changes is that there are less DS records in the parent zone.

Antoin Verschuren

Technical Policy Advisor SIDN
Utrechtseweg 310, PO Box 5022, 6802 EA Arnhem, The Netherlands

P: +31 26 3525500  F: +31 26 3525505  M: +31 6 23368970
mailto:antoin.verschuren at sidn.nl  xmpp:antoin at jabber.sidn.nl  http://www.sidn.nl/



> -----Original Message-----
> From: opendnssec-develop-bounces at lists.opendnssec.org [mailto:opendnssec-
> develop-bounces at lists.opendnssec.org] On Behalf Of Rickard Bellgrim
> Sent: Tuesday, December 08, 2009 3:30 PM
> To: opendnssec-develop at lists.opendnssec.org
> Subject: [Opendnssec-develop] KSK rollover
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
> 
> Hi
> 
> As noted on the user's list, we got some suggestions that we should use
> double signatures for KSK rollover. Because most people would like to
> change the DS records only one time. Do we agree?
> 
> Currently we do (something like this):
> ods-ksmutil key rollover --zone example.com --keytype KSK
> - - Publish new key
> ods-ksmutil key ksk-roll
> - - Make new key active. Retire old key.
> 
> Suggested solution:
> ods-ksmutil key rollover --zone example.com --keytype KSK
> - - Publish new key. Make new key active (when key is ready).
> ods-ksmutil key ksk-roll
> - - Retire old key.
> 
> Should we do this for version 1? Would it be difficult?
> 
> // Rickard
> 
> -----BEGIN PGP SIGNATURE-----
> Version: 9.8.3 (Build 4028)
> Charset: utf-8
> 
> wsBVAwUBSx5i0eCjgaNTdVjaAQh9Vgf/Ur7bsKZRHrx5cbxEVMkYSJrx1iDzaDy1
> wbEQeRnMhVjBusfiU8tSN3DDZeebo10YVyc2lx5jWos0dz32ygO0vL+cxpEqTZcR
> G1NCDbw/vTlqq591AbY2nyAMGnnl6hyERRoB2LmEWnfU/pR9LJ6sZTj4o0vNrx1q
> +R9SxOvINnEDuQgbypUB/+5Tm/n0el1n4ozBbNh+C2xqd0sHE3rKJOs/CsCFzhnB
> eC+25/wZo0ZjA1nBMts6qPoElrwKa4JRTXbItp44H27RK2pPAoTAW5mjeIWaupJb
> znTzb6wdV5igA1fgLcfszKohyTbyzNnOUXGGkCwvtwY29tRP0Q5HQg==
> =oYDA
> -----END PGP SIGNATURE-----
> 
> 


More information about the Opendnssec-develop mailing list