[Pdns-users] CSK documentation and rollover
cristian-2 at contrasec.fi
Thu Jul 21 09:40:00 UTC 2016
I have been studying PowerDNS 4.x documentation and various DNSSEC
sources for best practices on keys. I'd like to understand better why
PowerDNS advises to stick to the CSK key defaults of "pdnsutil
secure-zone" and what steps would it require if I'd like to rollover the
CSK key in the future.
CSK (combined signing key) which is default in pdnsutil secure-zone
could have a bit more explanation in PowerDNS documentation especially
because most DNSSEC sources only mention ZSK/KSK. For instance, the
acronym could be explained on
also in "Operational instructions section" which only covers KSK and ZSK
rollover at the moment. Also section "A brief introduction to DNSSEC"
explains benefits of PSK/ZSK, but lacks good sides of CSK.
Is rollover of the CSK key recommended at all with PowerDNS? The best
instructions on CSK rollover in general were in presentation "Flexible
and Robust Key Rollover in DNSSEC by NLnet Labs,
Publish RRSIG B
Publish DNSKEY B
Switch DS A for DS B
Remove DNSKEY A
Remove RRSIG A
Can this recipe be followed with PowerDNS? pdnsutil add-zone-key only
mentions KSK and ZSK.
With best regards,
More information about the Pdns-users