[Pdns-users] CSK documentation and rollover
Cristian Seres
cristian-2 at contrasec.fi
Thu Jul 21 09:40:00 UTC 2016
Hi,
I have been studying PowerDNS 4.x documentation and various DNSSEC
sources for best practices on keys. I'd like to understand better why
PowerDNS advises to stick to the CSK key defaults of "pdnsutil
secure-zone" and what steps would it require if I'd like to rollover the
CSK key in the future.
CSK (combined signing key) which is default in pdnsutil secure-zone
could have a bit more explanation in PowerDNS documentation especially
because most DNSSEC sources only mention ZSK/KSK. For instance, the
acronym could be explained on
https://doc.powerdns.com/md/authoritative/dnssec/#dnssec-defaults and
also in "Operational instructions section" which only covers KSK and ZSK
rollover at the moment. Also section "A brief introduction to DNSSEC"
explains benefits of PSK/ZSK, but lacks good sides of CSK.
Is rollover of the CSK key recommended at all with PowerDNS? The best
instructions on CSK rollover in general were in presentation "Flexible
and Robust Key Rollover in DNSSEC by NLnet Labs,
https://www.iepg.org/2012-11-ietf85/overeinder-iepg-ietf-85.pdf which
suggests
Recipe:
Publish RRSIG B
Wait TTL(RRSIG)
Publish DNSKEY B
Wait TTL(DNSKEY)
Switch DS A for DS B
Wait TTL(DS)
Remove DNSKEY A
Wait TTL(DNSKEY)
Remove RRSIG A
Wait TTL(RRSIG)
Can this recipe be followed with PowerDNS? pdnsutil add-zone-key only
mentions KSK and ZSK.
With best regards,
--
Cristian Seres
More information about the Pdns-users
mailing list