[dns-operations] DNSSEC operation and manamegment automation

CHui chui at lbl.gov
Sat Jan 14 07:12:18 UTC 2012

During the ISC Bind 10 Open Day (01/13/2012), there was a short discussion
on key management features in Bind 9 & 10.  I did not know what was the
consensus came out of the discussion, but I believe Bind could take DNSSEC
signing and key management to the next level with total automation.  

In theory, Bind knows enough from named.conf about the zone that need to be
signed.  With the knowledge of the zone data TTL, Bind should be able to
work out the ZSK rotation timing details to pre-publish the next key, when
to activate the new key, retire the current key, and ultimately, the time to
remove the old key.  As for KSK, based on some new user configurable timing
parameter,  Bind would pre-publish a new KSK, double signed the current ZSK
with both new and current KSK, and generate the DS for the parent zone.
Once Bind detect the chain of trust has established for the managed zone, DS
signed by the parent and published in parent zone, the old KSK could be
scheduled for deletion. 

This observation is based on my recent DNSSEC operation experience in an
enterprise network environment.  I don't know if it made sense at all for
ISP or large/lots of zones operators. Yet I think the automation feature
will encourage DNSSEC adoption and certainly will make my DNSSEC maintenance
task so much more manageable.

Cedric Hui
Berkeley Lab.

More information about the dns-operations mailing list