0

Short version: If a DNSSec-signed sone suddenly replace both ZSK (and all records related to the old ZSK), and at the same time keep the KSKs (which are referenced to by upstream server). Will it cause any trouble? And will it cause trouble after the TTL of the zone/records expire?

Long version: So I am replacing a 2012R2 Authorative DNS-server (File-backed) which host a handful of DNSSEC zones.

From what I have gathered, it is not possible to migrate the ZSKs for a zone, but it is possible to migrate the KSKs. (Technically I can migrate both, but can only import the KSKs on the zone for some reason). It is also not possible to add any 'custom' DNSSEC-related records when Windows Server flags the zone as signed. The upstream DNS-server (country level TLD) only contains references to the KSKs.

If I understand this correctly, If I copy the zone, generate new ZSKs and sign it. Then put it online (will have same IP as previous server). This should only lead to problems with signature verification during the TTL of the zone/records in question (I believe), and then only if someone has cached just the record and not the signature-record? (I am also aware that some DNS-servers might cache for more than the Zone TTL).

Zerqent
  • 336
  • 2
  • 8

1 Answers1

0

If a DNSSec-signed sone suddenly replace both ZSK (and all records related to the old ZSK), and at the same time keep the KSKs (which are referenced to by upstream server). Will it cause any trouble?

Yes. You seem to forget that DNS records have TTL. So recursive resolvers will/may have the old key data in their cache (the DNSKEY records listing the old ZSKs), and hence expect for example to find signatures with it. "Suddenly" never mixes will with DNS. No changes should be done without grace periods.

From what I have gathered, it is not possible to migrate the ZSKs for a zone, but it is possible to migrate the KSKs.

It is not clear to me what you mean by "migrate" there. ZSKs, by definition, are rotated often, like one each month or each 2 months, but with overlapping.

No matter what, you have always this ugly method to change things, that works but opens a window of no security:

  • remove DS at parent
  • wait "enough" time (at least DS TTL and some more)
  • now your zone is not DNSSEC secured anymore, you can mutate its content at your will, including about keys
  • once you reached your new desired configuration, and you have tested that DNSSEC is ok by simulating a specific DS at parent, then you can put that DS record back at parent.

Of course, if you have any monitoring on your zone that expects DNSSEC, it will scream during the procedure (or at least good test for the monitoring too).

Patrick Mevzek
  • 9,273
  • 7
  • 29
  • 42
  • "Migrate" - Move the key to another server and resign the zone. The problem is that Windows don't seem to have an option where I can pre-publish or double sign the zone with one key from each server... It takes control of DNSSEC, and then won't let you do anything. – Zerqent Oct 11 '21 at 16:42
  • TTL for the Zones I believe are down to 15 minutes. I know public servers may not respect a TTL below an hour. An hour downtime for a service is acceptable (Especially when only DNSSEC-enabled audience is affect and I can do it at nighttime). If there are not any other timestamps/timeouts I must adhere to. Removing the DS records at parent is the alternative solution to the problem, but I am trying to find a better solution. – Zerqent Oct 11 '21 at 16:44
  • @Zerqent Why can't you use the same keys on the new server? – Patrick Mevzek Oct 11 '21 at 17:11
  • I cannot find a way that it can be done on Windows Server. You can import a key to a different server (its stored in the certificate in Windows). Then you can call Add-DnsServerSigningKey to import the KSK. If you try to do it with a ZSK it will blatently ignore the key you specify and just generate a fresh one (also if you look into the params it actually says that the param is just for KSKs) – Zerqent Oct 11 '21 at 17:56
  • For a smooth migration, you should do a proper rollover so basically creating the new key on new server, make sure it is added in the old server, in the DNSKEY record, have current KSK sign the new ZSK. If you can move the signatures themselves, find a way to have new server computes the signatures and include them in the old server. After some time (see https://datatracker.ietf.org/doc/html/rfc7583#section-3.2 for help) you could remove the old ZSK as signing key, and then move the zone to new server fully, as not using the old ZSK. Or go rogue (without DNSSEC by removing DS in parent). – Patrick Mevzek Oct 11 '21 at 18:07
  • (Sorry I know little if not nothing about Windows-specifics stuff, so I hope someone can add an answer helping you more about this specific OS; I was just giving some general advices on DNSSEC maintenances). – Patrick Mevzek Oct 11 '21 at 18:08
  • Cheers Patrick. I have been knee-deep in multiple RFC :). however, once I sign with Windows I cannot actually add a DSKEY-record so basically I am left at either this scenario (Emergency rollover of all ZKeys and wait for TTL - or more?) or disabling dnssec, migrating then restore. – Zerqent Oct 11 '21 at 19:02
  • Imagine you were not doing some "routine" planned upgrade/maintenance but for some reasons your current infrastructure was failing in some way and you had to move the DNS handling/signatures+keys management to some new server "immediately" to restore the service. How would you manage that? It may sound remote/unneeded, but it all depends on how critical is this specific service to other things (see the recent outage at FB: their zone being broken was also blocking various internal tools) and managing the change now calmly can also help you draft a plan for emergency cases. Or the opposite. – Patrick Mevzek Oct 11 '21 at 19:57