Procedure: Normal KSK rollover and parent sync

Written by Rick van Rein in category: Procedures, Resilience, Security

When?
Every once in a while, for example once a year, the KSK for each zone needs to be rolled over. This involves communication with the parent zone, which publishes the hash of the KSK as a DS record or, if multiple hash algorithms are supported, as multiple DS records describing one KSK. Depending on the parent, it may support or even enforce the use of one or multiple simultaneous KSK records during a rollover.

What?

  • After the procedure there is a single KSK in the zone being rolled.
  • After the procedure the parent’s DS records represent only a single KSK.
  • Throughout the procedure, the parent’s DS list is supported with at least as many KSK.
  • After the parent removes a DS, it takes at least the DS’ TTL before the matching KSK may be removed from public DNS.
  • At any time during the procedure, the KSK signs at least one ZSK that signs the entire zone.

Why?
The parent generally wants to have uncluttered zones, so limiting the number of KSK represented in its DS records is good. Having a minimum number of KSK in a zone also helps to limit clutter in one’s own records.
The need to keep a KSK for a DS TTL after a DS vanishes from the parent is due to the possibility that a cache may hold the DS and thus expect to find the matching KSK.

How?

For parents which allow one KSK per domain:

  1. Introduce a new KSK to the zone.
  2. Have the zone signed with the new KSK as well as the old one.
  3. Wait until all caches have access to the newly signed records; that is, wait the longest RRSIG TTL after all authoritatives have picked up on the additional signatures.
  4. Publish the DS for the new KSK in the parent, replacing the old DS because the parent demands that.
  5. Wait until the parent publishes the new DS record.
  6. Wait the longest time of the old and new DS’ TTL time.
  7. Depracate the old KSK from the signer.

For parents which welcome multiple DS per domain during rollover:

  1. Add a new KSK to the zone.
  2. Sign the zone with the new KSK as well as the old one.
  3. Publish the new DS in the parent zone, alongide the old one.
  4. Wait until the new DS is published.
  5. Wait the old DS’ TTL time.
  6. Depracate the old KSK from the signer.
  7. Remove the old DS from the parent zone.

Respond

*