[dns-operations] DNSSEC zone resigning and key roll-over

Patrick, Robert Robert.Patrick at hq.doe.gov
Mon Oct 26 08:44:12 UTC 2009 

I'm trying to grok DNSSEC zone resigning versus zone-signing-key (zsk) roll-over.

>From what I understand key roll-over is an action performed in two scenarios:
1) if a key is compromised, an emergency roll-over should be performed
2) if a key has been in use for a while, reduce risk of successful attacks against the key by performing periodic roll-over

Looks like routine roll-overs for zone-signing-keys are recommended every 30 days, based on NIST and other documentation, best practices, etc.

If I sign a zone using default values, the RRSIG expiration dates are set 30 days out.

If I automatically resign a zone every 24 hours using a cron job, but forget to perform roll-over, nothing breaks on days 31, 32, 33, etc. so long as the zone continues to be resigned, correct?  The longer I wait to perform zsk roll-over, the greater the risk that an attacker may compromise my key through brute-force or equivalent attacks, but DNS continues to function, correct?


>From what I understand, zsk rollover takes place on a schedule independent of zone expiration.  It appears that zsk lifetime is based on an arbitrary policy defined by people/organizations, and that so long as the zone continues to be resigned before it expires, the zone is valid.  In the event the zone is not resigned before it expires, the zone becomes invalid - which is a failure to resign the zone (thus updating the expiration date), not a failure to perform recurring rollover.

With each resigning, presumably the zone expiration clock can be reset, such that a zone with a 30-day expiration will never expire if it is resigned once every 24-hours via a cron job, plus resigned whenever a record is created/updated/deleted.   Changing a published zsk to the current zsk certainly amounts to a zone update, thus the zone is resigned during rollover, but if I forget to rotate keys would the zone remain valid so long as it was resigned on a recurring schedule?

If I'm wrong in my interpretation, please let me know...


Thanks!

More information about the dns-operations mailing list