DNSSEC key rollover

Carsten Strotmann cs at sys4.de
Wed Jan 21 09:43:18 CET 2015 

Hello John,

On Mon, 19 Jan 2015 22:47:59 -0500
John <john at klam.ca> wrote:

> A couple of questions:
> Does anybody know if key rolling is going to be part of Bind (as part 
> of  maintain/inline) maybe?

Not that I'm aware of. Would probably be a major addition, as BIND 9
would need to keep state across restarts.

> Has the been any discussion on basing the +/-nn part of the date/time 
> params, not on today, but on one of the existing params when the -S 
> option is used?

the way I use the key dates is to specify the "retirement" and
"deletion" only before the new key is generated, e.g. when the rollover
starts. That way, the rollover can be postponed in time when needed

Example:

the initial key generation:

# dnssec-keygen -a RSASHA256 -b 2048 -n ZONE -P +1d -A +4d example.com

publication: now + 1 day
activation: now + 4 days
retirement: unset
deletion: unset

# dnssec-settime -p all Kexample.com.+008+50340
Created: Wed Jan 21 09:32:35 2015
Publish: Thu Jan 22 09:32:35 2015
Activate: Sun Jan 25 09:32:35 2015
Revoke: UNSET
Inactive: UNSET
Delete: UNSET

28 days after activation, the rollover process starts by setting the
inactivation time and creating the successor key:

# dnssec-settime -I +2d -D +8d Kexample.com.+008+50340
./Kexample.com.+008+50340.key
./Kexample.com.+008+50340.private
# dnssec-settime -p all Kexample.com.+008+50340       
Created: Wed Jan 21 09:32:35 2015
Publish: Thu Jan 22 09:32:35 2015
Activate: Sun Jan 25 09:32:35 2015
Revoke: UNSET
Inactive: Sun Feb 22 09:37:28 2015
Delete: Sat Feb 28 09:37:28 2015

# dnssec-keygen -i 2d -S Kexample.com.+008+50340.key
example.com

# dnssec-settime -p all
Kexample.com.+008+40260 Created: Wed Jan 21 09:38:04 2015
Publish: Fri Feb 20 09:37:28 2015
Activate: Sun Feb 22 09:37:28 2015
Revoke: UNSET
Inactive: UNSET
Delete: UNSET

By setting the inactivation time not at the creation of the key, but
when the rollover starts, the process is more robust against failures
of the script/process and the rollover can be postponed if needed (by
disabling the script).

But please send a feature request to the BIND 9 people (email
<bind9-bugs at isc.org>) if you feel relative dates for a successor key
would be useful.

Best regards

Carsten


-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150121/8a54ae77/attachment.pgp>

More information about the dane-users mailing list