[dns-operations] DNSSEC operations

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Dec 16 20:24:37 UTC 2020 

On Wed, Dec 16, 2020 at 12:33:37PM -0700, Eugene Tsuno - NOAA Affiliate wrote:

> 
> Just by reading, the delegated/subdomain server needs to generate a DS key
> and have it added to the config of the higher server.  The group that owns
> the upper servers says they need to do other periodic things to make this
> work.  My reading indicates that the DS key doesn't expire.

Each DS RDATA is a hash of the child domain's KSK.  So long as the
child domain continues to use the same KSK, the DS RDATA remains
stable.

> So do those who have subdomains delegated have to regenerate DS keys ever?
> Or is it a one time thing?  Since most children have a parent, I can't
> believe it is a manual or recurring thing.

Only when they perform a KSK rollover.  With a sufficiently strong
KSK, kept adequately protected, one might do this only every few
years.  For example, here is the recent history of the .ORG DS
RRset:

     tag  | alg | type |                                hash                              |   start date | end date
    ------+-----+------+------------------------------------------------------------------+--------------+------------
     9795 |   7 |    1 | 364dfab3daf254cab477b5675b10766ddaa24982                         | < 2017-10-20 | 2020-04-29
     9795 |   7 |    2 | 3922b31b6f3a4ea92b19eb7b52120f031fd8e05ff0b03bafcf9f891bfe7ff8e5 | < 2017-10-20 | 2020-04-29
    17883 |   7 |    1 | 38c5cf93b369c7557e0515faaa57060f1bfb12c1                         |   2020-04-10 | 2020-10-01
    17883 |   7 |    2 | d889cad790f01979e860d6627b58f85ab554e0e491fe06515f35548d1eb4e6ee |   2020-04-10 | 2020-10-01
    26974 |   8 |    2 | 4fede294c53f438a158c41d39489cd78a86beb0d8a0aeaff14745c0d16e1de32 |   2020-10-01 |

I don't have data prior to late October 2017, but it safe to guess
that the KSK that was withdrawn in 2020-04-29 had been in place
for some years by then.  It was superceded by a new KSK introduced
in April 2020, and (with prior plans foiled by COVID) again on
2020-10-01 which was an algorithm rollover from
RSASHA1-NSEC3-SHA1(7) to RSASHA256(8).

On the other hand, the .COM DS RRset history (since Oct 2017) is simply:

     tag  | alg | type |                              hash                                | start date   | end date
    ------+-----+------+------------------------------------------------------------------+--------------+---------
    30909 |   8 |    2 | e2d3c916f6deeac73294e8268fb5885044a833fc5459588f4a9184cfc41a5766 | < 2017-10-20 |

The same KSK has been in place for at least 3 years, and likely some years prior to that.

-- 
    Viktor.

More information about the dns-operations mailing list