[Pdns-dev] Seperating KSK and ZSK for PowwerDNS ?

Leen Besselink leen at consolejunkie.net
Tue May 29 13:34:49 CEST 2012


As any good netcitizen I've been working on implementing DNSSEC. ;-)

Recently I was flipping through some presentations on DNSSEC and I noticed something in this PDF:


Which belongs to this presentation:


Page 22 "Signed Zone Example: example.com" beautifully illustrates what the KSK is used for.

Probably it doesn't surprise you, but it is very little. In terms of records, it is just 2 records,
the DNSKEY-record for the public key part of the KSK and the RRSIG over all the DNSKEY-records.

The KSK is obviously also used to communicate the DS-record to the parent zone.

It got me thinking, the current PowerDNS database with DNSSEC enabled for a zone has the KSK and ZSK
keys in the cryptokeys table.

How hard would it be to have a mode in PowerDNS where you add the RRSIG which is generated from the
KSK to the database and move the private part of the KSK out of the database.

This could help when you have a hidden master and database replication but would like to prevent the
KSK getting compromised. If you have hundreds or thousands of singed zones you'll be happy you don't
have to communicate all the new keys to the parent zones. Even if it is automated.

It might not work with presigned, but with presigned you might as well not replicate the cryptokeys

It should work in theory with something like NSEC3-narrow.

Haven't looked at the other modes.

It is just an idea, I would like to know what people think.

Have a nice day,

PS An other presentation that might be of interrest as it mentions the PowerDNS Recursor is this one:


His paper his here:


More information about the Pdns-dev mailing list