8

I have set up some domains with dnssec. I generated the keys and signed the zones with zonesigner from dnssec-tools. I know that I must resign the zones within 30 days. But what's up with the keys which I deposited at my domain provider? Do I need to renew the keys too? If yes, how? Can't find any information about this on the website.

user1091344
  • 279
  • 3
  • 9

2 Answers2

9

You are not required to renew the keys. Unlike RRSIG records, DNSSEC keys and corresponding DS signatures have no expiration date.

KSK (Key signing Keys):

You may choose to rotate keys from time to time, reasons to do so may be for example that possibly your keys stolen and you don't know. If your KSK is kept offline and thus unlikely to be compromised, there's no real need to rotate KSK.

ZSK (Zone signing Keys):

To rotate those you don't need your domain provider, thus it's much easier to rotate. Though if ZSKs are also kept secure enough, there's no real need to rotate them too.

The following RFC is the source of various DNSSEC-related recommendations:

RFC 4641 - DNSSEC Operational Practices, Version 2

.... a reasonable effectivity period for KSKs that have corresponding DS records in the parent zone is of the order of 2 decades or longer. That is, if one does not plan to test the rollover procedure, the key should be effective essentially forever, and only rolled over in case of emergency.

Community
  • 1
Sandman4
  • 4,045
  • 2
  • 20
  • 27
0

DNSSSEC has the concept of Zone Signing Keys which you would have on your noted 30 days ( with some overlap ). They keys you submitted to the registrar are called Key Signing Keys, and can have a different rotation schedule.

I think you could even create several ZSK's signed with your KSK, and then keep the KSK offline.

becomingwisest
  • 3,278
  • 19
  • 17