[Opendnssec-develop] Zone moving between operators

Antoin Verschuren Antoin.Verschuren at sidn.nl
Mon Mar 23 20:46:24 UTC 2009

Op maandag 23-03-2009 om 19:09 uur [tijdzone +0000], schreef John
> On 23 Mar 2009, at 18:54, Matthijs Mekking wrote:
> >
> > * What to do when a zone moves from one operator to another.
> Several people have asked me this as well - Off the top of my head, I  
> don't think we can do anything. There are too many variables. I think  
> that unless you (as a registrant) are willing to test the interaction  
> between operators on a regular basis you have to assume that you will  
> go, or at least will risk going, unsigned at change over.

In current economics, the answer "we can't" won't help to get DNSSEC
deployed. If my choice is between not signing my zone or disappoint my
clients when I'm changing infrastructure, I know I will choose to not
sign. Changing infrastructure is a common thing in current business
processes, and in some countries even a requirement in policy.

I think we can do it.
Moving a zone has 3 options:
1. Become insecure, like you say.
2. Hand over the private keys for the zone to the new operator so he can
do a key rollover to use his own keys. Not a very safe proces and
certainly not possible when you use certain HSM's.
3. Have the losing operator sign the new key(s) from the gaining
operator during a special key rollover process. I think that it's

Disadvantage of the last 2 is that it needs cooperation of the losing
operator. But that's politics or policy, but I think it must be possible
to change infrastructure without becoming insecure for DNSSEC to become

> > * What to do when the HSM is replaced
> Just works (I hope). You add a new HSM, update policies to start using  
> it and new keys will be created in the new HSM.

Here you actually have the same issue as you have in option 3 above.
You need the old HSM to sign the new keys that are generated by the new
HSM if you cannot move the private keys around from HSMold to HSMnew.
You cannot just start using a new keyset that was not signed by the old
one because you will break the chain of trust for signatures that are
still in caches.

> > And does KASP has the logic
> > if a key for zone A needs to be rollovered, but must be kept for other
> > zones.
> No - lets not go there. :)

I prefer not to go there as well, but as it is common business practice
to move one zone from operator 1 to operator 2 without moving all the
other zones from operator 1, the advice should be to use a key per zone,
and not reuse keys.

Again, without these business processes supported, DNSSEC will not be
used in the current real world.

Antoin Verschuren

Technical Policy Advisor
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands

T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E antoin.verschuren at sidn.nl
W http://www.sidn.nl/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: Dit berichtdeel is digitaal ondertekend
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090323/dcdd5504/attachment.bin>

More information about the Opendnssec-develop mailing list