Discussion:
Sign ZSK key permanently
Paul van der Vlis
2018-08-23 16:05:00 UTC
Permalink
Hello,

Is it possible to sign the ZSK key permanently with the KSK key?
If yes: how to do that?

In this way I could keep the KSK key offline.

With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Tony Finch
2018-08-23 16:40:39 UTC
Permalink
Post by Paul van der Vlis
Is it possible to sign the ZSK key permanently with the KSK key?
In this way I could keep the KSK key offline.
The only(*) revocation mechanisms in DNSSEC are expiring signatures and
replacing keys. If you sign your DNSKEY records permanently, when anyone
manages to compromise them they will be able to spoof records in your zone
until you replace the KSK.

In effect, what you will have done is coupled the keys together
permanently so they are of equivalent power, and eliminated all benefit of
keeping the KSK offline.

The point of an offline KSK is to allow you to recover from compromise of
your ZSK without having to replace your DS records or other trust anchors.

It's worth having a look at how the root DNSKEY RRset is managed: they get
the KSK out of storage a few times a year, when they generate RRSIG
records for the next few months.


(*) The other mechanism is the RFC 5011 revoked bit, which only applies to
KSKs that are being tracked as auto-updating trust anchors (managed-keys
etc.) but that doesn't apply to other records that depend on signature and
key rotation for revocation.

Tony.
--
f.anthony.n.finch <***@dotat.at> http://dotat.at/
justice and liberty cannot be confined by national boundaries
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Paul van der Vlis
2018-08-24 15:30:18 UTC
Permalink
Hi Tony,

Thanks for your answer!
Post by Tony Finch
Post by Paul van der Vlis
Is it possible to sign the ZSK key permanently with the KSK key?
In this way I could keep the KSK key offline.
The only(*) revocation mechanisms in DNSSEC are expiring signatures and
replacing keys. If you sign your DNSKEY records permanently, when anyone
manages to compromise them they will be able to spoof records in your zone
until you replace the KSK.
In effect, what you will have done is coupled the keys together
permanently so they are of equivalent power, and eliminated all benefit of
keeping the KSK offline.
The point of an offline KSK is to allow you to recover from compromise of
your ZSK without having to replace your DS records or other trust anchors.
If the ZSK and KSK are on the same place, they will be compromized
together I would say.
Post by Tony Finch
It's worth having a look at how the root DNSKEY RRset is managed: they get
the KSK out of storage a few times a year, when they generate RRSIG
records for the next few months.
A long TTL is needed then.
Post by Tony Finch
(*) The other mechanism is the RFC 5011 revoked bit, which only applies to
KSKs that are being tracked as auto-updating trust anchors (managed-keys
etc.) but that doesn't apply to other records that depend on signature and
key rotation for revocation.
Isn't it possible to revoke the ZSK key, and sign the zone with a new
ZSK key?

Without an offline KSK, I do not see a reason for both a KSK and a ZSK
key. Do you?

With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews
2018-08-23 21:10:18 UTC
Permalink
Post by Paul van der Vlis
Hello,
Is it possible to sign the ZSK key permanently with the KSK key?
No. There is no way to signal this in a RRSIG.
Post by Paul van der Vlis
If yes: how to do that?
In this way I could keep the KSK key offline.
With regards,
Paul van der Vlis
--
Paul van der Vlis Linux systeembeheer Groningen
https://www.vandervlis.nl/
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Loading...