DNSSEC key rollover

Carsten Strotmann (sys4) cs at sys4.de
Thu Jan 22 16:08:58 CET 2015


John Allen wrote:

> For this exercise all time is measured in days
> 
> |<--------------------------- Key Life ------------------------------>|
> |                                                                     |
> |<- Lead Time ->|<--------- Active  Life --------->|<-  Retirement  ->|
> |               |                                  |                  |
> |____ __________|__________________________________|__________________|
> |    |          |                                  |                  |
> |  _P_ublish      |                                  |                  |
> |               |                                  |                  |
> |<- Create      |<- _A_ctive              _I_nactive ->|          _D_elete->|
> 
> Problem:
> 
>   * what is the easiest/best way of retrieving information on the
>     current ZSK.

I use a symbolic link that I resolve using "readlink":

% ln -s Kexample.com.+008+25464.key Kexample.com.active.zsk
% readlink Kexample.com.active.zsk
Kexample.com.+008+25464.key

It would also be possible to retrieve a RRSIG from the active zonefile
(or from an authoritative DNS server) and get the ZSK keytag number
(field 6 of the RRSIG data) from there:

#  dig soa sys4.de +dnssec
;; ANSWER SECTION:
sys4.de.		3600	IN	SOA	ns.sys4.de. hostmaster.sys4.de. 2015012206 3600
3600 604800 3600
sys4.de.		3600	IN	RRSIG	SOA 8 2 3600 20150129030130 20150122135311 14544
sys4.de. xg6+KXifZyQj3URwaY6XaTsLcQn7g31DiVv+Q3u2IHBQzZZjAvkTm35W
qjWDSsaD31jeNgQVCqvROHs9jmXM+LbSBqfxxLcdR9HFrhuTSZl03S4+
9KIuAbfej7Fr/jguadPPel7ZfdKHf43QvUpb5iy3kxfGh9uzqAvad0BH h+E=

The current ZSK for sys4.de has the keytag 14544 and algorithm 8, so the
name of the key-file on disk is "Ksys4.de.+008+14544.key" (true only for
BIND 9 DNSSEC tools).

>   * Could any of the interval use TTLs if so which ones.

not TTLs alone, as the propagation time (master -> slaves) needs to be
taken into account. If you have faith that propagation will happen in
your SOA-refresh time:

 * Time between "publish" and "active" is SOA-Refresh + TTL of the
DNSKEY Record Set
 * Time between "inactive" and "deletion" is SOA-Refresh + largest TTL
in the Zone

Because of the 2nd, it is recommended to not use excessive TTL times in
DNS records in signed zones (I would recommend max 24 H = 86400 sec)

>   * Should the he interval in this setup be checked against TTLs.

Sorry, I'm not seeing what the "he" interval is. Can you explain?

Carsten


More information about the dane-users mailing list