Olaf Kolkman
Document ID: TBD
Date: September 2005
This draft document describes RIPE NCC policy key distribution and maintenance during the deployment of DNSSEC in its service region.
1.0 Introduction
2.0 Proposed DNSSEC Key Procedure
3.0 References
One of the main issues for early deployment of DNSSEC is key distribution and maintenance. For each zone that is signed, a key pair is created. The private part of that key pair is used to sign the zone, while the public key needs to be distributed to the DNS client. This means validating recursive nameservers to validate the data. DNSSEC allows public key distribution through the DNS, but this will only work if it is possible to build a chain of authority from a 'trust-anchor' through delegation from parents to child in each zone.
This 'trust-anchor' should ideally be the root. If there is no signed root, then all DNS clients that want to verify zone data will have to manually configure the zone keys. Maintenance of these keys is a process that does not scale well. We are working to come up with a solution to this issue.
The lack of key maintenance protocols is no reason to delay deployment of signed zones. Operators that configure 'trust-anchors' into their validating DNS clients will need to carefully maintain them. The 'trust-anchor' and the key signing key used to sign the zone remain must stay synchronised. If operators do not update their keys, then their zones might become invisible to DNS clients performing DNSSEC validation.
To avoid possible possible failures, the RIPE NCC will sign its zones using the policy proposed below.
This procedure applies to each zone that the RIPE NCC will sign.
The ZSK will be an RSA/SHA1 key of 1200 bits ([1] section 3.5)
The KSK will be an RSA/SHA1 key of 2048 bits.
The RIPE NCC will publish the KSKs to be used as 'trust-anchors' for our zones on a secure website. It will follow the format used in the 'trusted-keys' statement in BIND9 named configuration files.
The RIPE NCC would consider publishing its KSKs in appropriate registries that may emerge to facilitate the establishment of DNSSEC trust anchors.
Any changes to this procedure and other announcements will be signed with the RIPE NCC PGP key and published on a secure website and a dedicated mailing list.
[1] draft-ietf-dnsop-dnssec-operational-practices-04.txt (work in progress).