[Opendnssec-user] Key rollovers on exact days and with predictable keys?

Sebastian Castro sebastian at nzrs.net.nz
Fri Oct 15 03:01:41 CEST 2010


Hi:

The OpenDNSSEC documentation suggests in order to have key rollovers on
exact days, activate the ManualRollover tag and use crontab:

----------------------------------
Key rollovers on exact dates

Some users want to have more control over their key rollovers and roll
keys on exact dates, for example the first day of each month. To do this
you need to specify that you want manual key rollovers in the kasp.xml
configuration. Add the <ManualRollover/> tag to the type and key you
want to roll manually.

When this is done you can add the rollover commands to a cron job, with
a command like this:

 ods-ksmutil key rollover --zone example.com --keytype ZSK
---------------------------------

We are considering to have the system "scripted", where each ZSK
rollover has an specific date and the list of keys (including the order
of use) is known. Thus, we can check after a rollover if the system
introduced the key we expected.

To extend a little bit more, assume an scenario where a pool of keys is
generated and automatic key generation is disabled using the
ManualKeyGeneration tag.

Key pool is created with something like this:

ods-ksmutil key generate --zone example.com --interval P1Y

SQLite database set to: /var/opendnssec/kasp.db
Key sharing is Off
HSM opened successfully.
Created KSK size: 2048, alg: 7 with id: eaefe4d0de115b016e8b90e0f76d0571
in repository: softHSM and database.
Created ZSK size: 1024, alg: 7 with id: ac9e3626f19eae7aecae3b23453a6877
in repository: softHSM and database.
Created ZSK size: 1024, alg: 7 with id: 4b300ac1eb5d41a034ddfaeb4453acbc
in repository: softHSM and database.
Created ZSK size: 1024, alg: 7 with id: eb4205c1a4f985c63c09d0a88a4eb768
in repository: softHSM and database.
Created ZSK size: 1024, alg: 7 with id: b4dd17417d13aa58c8d3ae1429a02dff
in repository: softHSM and database.

Is it reasonable to assume the ZSKs will be used in the listed order?:
id: ac9e3626f19eae7aecae3b23453a6877
id: 4b300ac1eb5d41a034ddfaeb4453acbc
id: eb4205c1a4f985c63c09d0a88a4eb768
id: b4dd17417d13aa58c8d3ae1429a02dff

or achieving our "idea" would require a change to ods-ksmutil to accept
the option "--CKA_ID", turning the rollover into something like the
following?

ods-ksmutil key rollover --zone example.com --keytype zsk --CKA_ID
ac9e3626f19eae7aecae3b23453a6877


Is there a need for this feature or we are just over engineering?


cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535




More information about the Opendnssec-user mailing list