DNSSEC Key Maintenance Procedure
Document ID: TBD
Date: September 2005
This document describes RIPE NCC policy key distribution and maintenance during the deployment of DNSSEC in its service region.
One of the main issues for early deployment of DNSSEC is key distribution and maintenance. For each zone that is signed, a key pair is created. The private part of that key pair is used to sign the zone, while the public key needs to be distributed to the DNS client. This means validating recursive nameservers to validate the data. DNSSEC allows public key distribution through the DNS, but this will only work if it is possible to build a chain of authority from a 'trust-anchor' through delegation from parents to child in each zone.
This 'trust-anchor' should ideally be the root. If there is no signed root, then all DNS clients that want to verify zone data will have to manually configure the zone keys. Maintenance of these keys is a process that does not scale well. We are working to come up with a solution to this issue.
The lack of key maintenance protocols is no reason to delay deployment of signed zones. Operators that configure 'trust-anchors' into their validating DNS clients will need to carefully maintain them. The 'trust-anchor' and the key signing key used to sign the zone remain must stay synchronised. If operators do not update their keys, then their zones might become invisible to DNS clients performing DNSSEC validation.
To avoid possible possible failures, the RIPE NCC will sign its zones using the policy proposed below.
This procedure applies to each zone that the RIPE NCC will sign.