[Pdns-users] Migrate from zsk/ksk/rsa to csk/ecdsa

Fri Aug 3 12:32:48 UTC 2018

On 02.08.18 15:38, Nicola Tiling wrote:
> Hi Oli
> 
> Thanks a lot for your answer. Unfortunately there is no documentation for an algorithm rollover in pdns documentation and it is hard to find something about it with google...
> 

There are two ways to perform an algorithm rollover, called
"conservative" and "liberal" due to  RFC4035 section 2.2:

"There MUST be an RRSIG for each RRset using at least one DNSKEY of
   each algorithm in the zone apex DNSKEY RRset.  The apex DNSKEY RRset
   itself MUST be signed by each algorithm appearing in the DS RRset
   located at the delegating parent (if any)."

A conservative rollover  takes these requirements into account very
strictly, so you'd have to introduce RRSIGS first before you can add the
DNSKEY. AFAIK you can't do this with PowerDNS live signing.

Current validating resolvers however do not enforce these rules, which
enables liberal rollovers. These are basically the same as normal double
signature rollovers. Your zone should validate as long as there is
always at least one working combination of DS->matching DNSKEY->matching
RRSIGS. TLDs mostly performed conservative rollovers historically, but
recently .SE rolled using the liberal approach with no issues [1]

Using the liberal rollover you can simplify the plan quite a bit:

 * Add new (active) key/rectify/increase-serial, the zone is now signed
with both the old and new keys ("double signature rollover")
 * Wait at least "the largest TTL in the Zone" ( to make sure the new
key and its RRSIGS are propagated )
 * Replace DS records through the registrar, meaning add the new DS and
remove all old DS at the same time. In your playbook you mention two
interactions with the parent zone (step 5 and 16) but this is a double
signature rollover, not a double DS rollover, so you only need to update
once. Having both DS published at the same time could actually cause
problems, for example if they have inconsistent digest types [2]
 * When the new DS is visible at the parent, wait at least DS TTL + a
little longer to account for replication delays
 * At that point all resolvers should validate using the new DS/KEY, so
you can remove the old KSK/ZSK, there is no need to deactivate it first

I have personally never performed an algorithm rollover and change from
split key to combined signing keys at the same time. Its certainly a
good idea to go through this procedure first with a test zone before you
do it with anything important.

Best regards
Oli

[1]
https://www.sidnlabs.nl/a/weblog/keep-m-rolling-monitoring-ses-dnssec-algorithm-rollover
[2]
https://indico.dns-oarc.net/event/28/contributions/521/attachments/489/797/Crippling_DS.pdf

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20180803/7603de0d/attachment.sig>