[dnssec-deployment] Signatures on the DNSKEY
ogud at ogud.com
Fri Oct 2 10:52:59 EDT 2009
At 17:24 30/09/2009, Paul Wouters wrote:
>On Wed, 30 Sep 2009, Olafur Gudmundsson wrote:
>>This is a good reason, and while you are at, promote good DNSKEY hygiene
>>by signing .us/.biz with one KSK and one ZSK in the DNSKEY set during
>>normal operation. New keys should only be added just-in-time to take over.
>But that prevents me from doing a quick ZSK rollover. And note that
>if you're rolling the ZSK monthly, even with your scheme you'd be running
>with two ZSK's for about 4 days every 30 days anyway.
>Not sure if I'd call having two ZSK's "bad hygiene" :P (and isnt it the
>current BCP from RFC4146 to run with two ZSK's)
RFC4146 needs to be updated, I scratch my head over some of the recommendations
The speed of Key rollover is a tradeoff's in
Before you can make the statement "prevents me from making quick rollover"
we need to define when rollover starts. I can argue that it starts as early
as when you introduce a new key, you can argue it starts as late as when you
add the first signature by the key.
In any case the delay in rolling a ZSK is bound by the TTL on the DNSKEY RRset
and how quickly the DNSKEY RRset can be updated.
Lower DNSKEY TTL allows you to start using a new key faster,
capping the largest TTL in a zone allows you to remove old key faster,
but both increase the query traffic in the normal case.
Having only 1 ZSK for 26 days lowers the traffic bill :-)
If I set the DNSKEY TTL to 1 hour
and max TTL to 20 hours
and if I can push out the resigned zone in 3 hours
then I only need two keys for 1 day during roll over.
More information about the Dnssec-deployment