The diagram above shows the starting situation on the source signer. The starting situation shown is a typical snapshot of the state of a signer that uses the “ZSK pre-publication” rollover strategy in which a ZSK is pre-published before it is made active and in which old signatures are gradually rolled to the new key […]
Introduction As mentioned in the previous post, we will be publishing a series of articles on signer migration. In this article, we will address the goals we set ourselves for the signer migration as well as outline the assumptions we made. We’ll end the article with a brief explanation of the diagrams we will be […]
One of our goals with this blog has been to share what we have learned from our DNSSEC deployment with our constituency and the wider Internet community. Last month we performed a complicated operation on our DNSSEC signer deployment: we migrated from the existing signer setup to a completely independently running new signer. We had […]
OpenDNSSEC is much more dependent on proper timing than plain DNS, mainly because of the regular rollover of keys. Because of this, a lot of care must go into the design of timing, and especially the TTL parts of DNS records.
In a previous article we discussed the idea of a high-availability Hardware Security Module (or HSM) service. To make the entire DNSSEC signing service act in high-availability mode there is one more part to replicate, namely the OpenDNSSEC signer machines. These manage the procedures and are aware of the DNS and timing intricacies of DNSSEC. […]
For a paper I’m writing on state-of-the-art cryptography and applications of cryptography I’ve drawn a picture of the complete trust chain required to validate the answer to a query for www.surfdnssec.org (which is in one of our test domains and is a CNAME pointing to this blog). It really drives home how complex DNSSEC can […]
When you start to support DNSSEC, you are suddenly supposed to manage the keys used to sign the domain. This is a typical task for a security officer. Typical concerns are to conceal the private keys from outside-world prying eyes, and to avoid losing keys as long as the outside world needs them to trust […]
If any design principle has been leading our architectural work around resilience for DNSSEC, it has been idempotence. It is one of those algebraic concepts that really helps to beat sense into a complex set of choices. Idempotence means that doing the same thing twice is no different from doing it once. Painting orange on […]
In a previous post we addressed access control on the network level. This post will focus on access control in various ways on the signer machine. User access control The most basic – but nevertheless important – way of controlling access is by determining which users need access to the signer machine and the potentially […]
Introduction A big part of the security of our infrastructure is determined by the access control we enforce on all the components that form the DNSSEC signer infrastructure. Access control is important on several levels: Network level Access to machines and user privileges on these machines Access to sensitive data on the signer HSM roles […]