Automating a KSK rollover

Mark Elkins mje at posix.co.za
Sun Jul 5 11:54:05 UTC 2009


I've added some automation around signing zones. For the KSK - it has a
default life of 12 month. I'm looking at having two valid KSK's running
with an overlap of 6 month. This means updating dlv.isc.org every 6
months, adding a new key, removing the old key and leaving the key thats
6 months old. My system should remind me when to do this. Of course -
I'm still in the first 6 month cycle - so there is only one KSK for now
- so I'll only be adding a KSK next maintenance cycle.
This is fine for a few domains but I agree it would be painful for many
domains.

I'd like to see a system that I can tickle - so that it fetches the new
KSK from me (all automated).

Now that my zone is 'secure' - I could use it to distribute a public key
(PGP - whatever). I still have the TXT DLV record in my zone. Just
thinking out-loud - as I'm interested too.

One day - I'd expect this to be built into Registry/Registrar EPP type
interfaces - fine except I like to host my own DNS.


On Sat, 2009-07-04 at 22:36 -0700, Shane W wrote:
> Hello all,
> 
> So I just did a KSK rollover, just to get a feel for how
> it's done, updating dlv.isc.org in the process. My question
> though is one of administration. When a domain rolls its
> ksk, will it be necessary to manually login to a website
> and paste the new keys, login again a month later and
> delete the old ksk? How will this work for sites hosting
> many domains? Is there some sort of standardized way as yet
> to communicate key changes to an upstream zone or in this
> case a lookaside provider?
> 
> Shane

-- 
  .  .     ___. .__      Posix Systems - Sth Africa.  e.164 VOIP ready
 /| /|       / /__       mje at posix.co.za  -  Mark J Elkins, Cisco CCIE
/ |/ |ARK \_/ /__ LKINS  Tel: +27 12 807 0590  Cell: +27 82 601 0496




More information about the bind-users mailing list