DNSSEC Keys

What?

  • DNSSEC is implemented with two key pairs, the Key Signing Key (KSK) and the Zone Signing Key (ZSK).
  • Both key pairs are RSA-SHA512 4096 bit keys. This is in line with our Linux crypto policy (nothing smaller than 4k, nothing but RSA for the moment until Curve25519 implementations have matured a bit. NB: There’s nothing stronger available than RSA-SHA512 for DNSSEC currently anyway).
  • The ZSK has a life time of 10 years, KSK of 2 years. This is in line with our Linux crypto policy (2 years lifetime for host keys, 10 years for CA keys).

Who?

  • Keys are generated/maintained by the ITS Linux System Administration and stored offline alongside the other cryptographic keys on encrypted media and physically locked up, currently accessible by Simon, Philipp, and Daniel.
  • Unencrypted copies of the keys are available in an escrow, currently accessible by Simon.
  • Alongside the active KSK/ZSK pair, we keep always two of each for the current period (the same start and end dates for the lifetime of the key) and two of each for the next period (both start and end time in the future). These key pairs are ready to be used immediately by the Network Administrators ensuring that in urgent cases the key rollover can be done with minimal people involved (access to escrow and infoblox is enough, no keys need to be generated for an immediate switch).
  • We keep two pairs of ZSK and KSK in DNS at all times, this allows to switch keys instantly without suffering from TTLs or RFC-ignorant caching resolvers for the external zone.
  • Or in other words: we have two ZSK/KSK in the DNS (one is used and one is hot-standby) and two ZSK/KSK on the side for switch in.
  • KSK rollover (sample dates taken) will be done like that:
    • 2016-01-01: New KSK is added to DNSKEY.
    • 2016-01-07: New KSK is used to sign zones in addition, zones have two signatures of both the old and the new KSK at the same time.
    • 2016-01-14: Old KSK is not used to sign zones anymore, zones have only one signature from the new KSK.
    • 2016-01-21: Old KSK is marked as revoked.
    • 2016-01-31: Old KSK is removed from DNSKEY.
  • ZSK rollover goes the same way.

When?

  • On 2014-10-16, we’ll do a complete test and rollover of multiple KSK and ZSKs with a dummy zone. This will ensure that the prepared documentation and workflow works for everyone.
  • End of October 2014 (KW43) we’ll do an introductionary lecture for IT Infrastructure people (and anyone else interested).
  • End of October 2014 (KW43) we’ll do an introductionary lecture targeted for IT Support people.
  • End of October 2014 (KW44) we’ll enable DNSSEC for bfh.ch temporarily for one period of a maintenance window only.
  • Beginning of November 2014, we’ll enable DNSSEC for bfh.ch indefinitely.

How?

  • ZSK keys can be generated with
dnssec-keygen -a RSASHA512 -b 4096 -n ZONE -P 20140101 -A 20140107 -I 20160114 -R 20160121 -D 20160201 ZSKbfh.ch+20140101
  • KSK keys can be generated with
dnssec-keygen -a RSASHA512 -b 4096 -n ZONE -f KSK -P 20140101 -A 20140107 -I 20250114 -R 20250121 -D 20250201 KSKbfh.ch+20140101

BFH DNSSEC Keys (current)

ZSK 2014-01-01 (expires 2025-02-01)

FIXME

KSK 2014-01-01 (expires 2016-02-01)

FIXME