[Pdns-users] CSK documentation and rollover

Cristian Seres cristian-2 at contrasec.fi
Thu Jul 21 09:40:00 UTC 2016


I have been studying PowerDNS 4.x documentation and various DNSSEC 
sources for best practices on keys. I'd like to understand better why 
PowerDNS advises to stick to the CSK key defaults of "pdnsutil 
secure-zone" and what steps would it require if I'd like to rollover the 
CSK key in the future.

CSK (combined signing key) which is default in pdnsutil secure-zone 
could have a bit more explanation in PowerDNS documentation especially 
because most DNSSEC sources only mention ZSK/KSK. For instance, the 
acronym could be explained on 
https://doc.powerdns.com/md/authoritative/dnssec/#dnssec-defaults and 
also in "Operational instructions section" which only covers KSK and ZSK 
rollover at the moment. Also section "A brief introduction to DNSSEC" 
explains benefits of PSK/ZSK, but lacks good sides of CSK.

Is rollover of the CSK key recommended at all with PowerDNS? The best 
instructions on CSK rollover in general were in presentation "Flexible 
and Robust Key Rollover in DNSSEC by NLnet Labs, 
https://www.iepg.org/2012-11-ietf85/overeinder-iepg-ietf-85.pdf which 

     Publish RRSIG B
     Wait TTL(RRSIG)
     Publish DNSKEY B
     Wait TTL(DNSKEY)
     Switch DS A for DS B
     Wait TTL(DS)
     Remove DNSKEY A
     Wait TTL(DNSKEY)
     Remove RRSIG A
     Wait TTL(RRSIG)

Can this recipe be followed with PowerDNS? pdnsutil add-zone-key only 
mentions KSK and ZSK.

With best regards,

Cristian Seres

More information about the Pdns-users mailing list