DNSSEC Key Maintenance Procedure |
|
|
Olaf Kolkman
Document ID: TBD
Date: September 2005
Abstract
This document describes RIPE NCC policy key distribution and maintenance
during the deployment of DNSSEC in its service region.
Contents
1.0 Introduction
2.0 Proposed DNSSEC Key Procedure
3.0 References
1.0 Introduction
One of the main issues for early deployment of DNSSEC is key distribution
and maintenance. For each zone that is signed, a key pair is created.
The private part of that key pair is used to sign the zone, while
the public key needs to be distributed to the DNS client. This means
validating recursive nameservers to validate the data. DNSSEC allows
public key distribution through the DNS, but this will only work
if it is possible to build a chain of authority from a 'trust-anchor'
through delegation from parents to child in each zone.
This 'trust-anchor' should ideally be the root. If there is no
signed root, then all DNS clients that want to verify zone data
will have to manually configure the zone keys. Maintenance of these
keys is a process that does not scale well. We are working to come
up with a solution to this issue.
The lack of key maintenance protocols is no reason to delay deployment
of signed zones. Operators that configure 'trust-anchors' into their
validating DNS clients will need to carefully maintain them. The
'trust-anchor' and the key signing key used to sign the zone remain
must stay synchronised. If operators do not update their keys, then
their zones might become invisible to DNS clients performing DNSSEC
validation.
To avoid possible possible failures, the RIPE NCC will sign its
zones using the policy proposed below.
2.0 Proposed DNSSEC Key Procedure
This procedure applies to each zone that the RIPE NCC will sign.
-
RIPE NCC will sign all data in the zone with at least one Zone
Signing Key (ZSK). A ZSK is zone specific.
-
The ZSK will be published in the DNSKEY Resource Record (RR)
set and signed with a Key Signing Key (KSK).
-
The KSKs will have a SEP flag set so that they can be distinguished
from the ZSKs in the DNSKEY RR set.
-
The ZSK may be rolled without making any announcement. We will
follow the 'pre-publish rollover scheme' as published in [1]. This will avoid
breaks in the chain of trust.
- During the first two years of deployment, the KSK of each signed
zone will be rolled twice each year. The rollover scheme that
we will follow is the 'double signature scheme' published in [1]. There will be an overlap of three months to allow zone administrators
to configure their new key.
o At t=0 KSK1 signs the keyset.
At t=3months KSK1 and KSK2 sign the keyset. DNS clients are
expected to configure KSK2 during the three months that follow.
At t=6months only KSK2 signs the keyset until (at t=9 months)
KSK3 is introduced and a new rollover starts.
o All zones at the RIPE NCC will
roll their KSK simultaneously.
-
The RIPE NCC will start generating
signatures that are valid for one month. However, after announcing
the change, it might decrease the signing validity period to
the shortest operationally possible period. Also see [ 1] section 4.4.4.
The ZSK will be an RSA/SHA1 key of 1200 bits ([1] section 3.5)
The KSK will be an RSA/SHA1 key of 2048 bits.
The RIPE NCC will publish the KSKs to be used as 'trust-anchors'
for our zones on a secure website. It will follow the format used
in the 'trusted-keys' statement in BIND9 named configuration files.
The RIPE NCC would consider publishing its KSKs in appropriate
registries that may emerge to facilitate the establishment of DNSSEC
trust anchors.
Any changes to this procedure and other announcements will be signed
with the RIPE NCC PGP key and published on a secure website and
a dedicated mailing list.
3.0 References
[1] draft-ietf-dnsop-dnssec-operational-practices-04.txt
(work in progress).
|
you are here: RIPE -> RIPE Draft Documents
