ZSK rollover with BIND 9.6 and an automatically re-signed zone

Wed Mar 25 11:39:00 UTC 2009

Scenario: BIND 9.6, and a signed zone all changes to which are made
by DNS update operations. Re-signing with the current ZSK is being
done automatically by BIND.

The question is how to roll over ZSKs for such a zone with these
desired features:

  1. The bulk of RRsets in the zone are signed with only one ZSK
     at a time (to limit the size of the zone).

  2. The switchover to a new ZSK should replace the RRSIG records
     gradually (to limit the size of the incremental transfers).

The following method seems to work (modulo a couple of wrinkles
that I will try and reproduce and report to bind9-bugs), but I am
not sure whether it is "supported". (Documentation on the new 9.6
features is still very sketchy.)

Start with a single ZSK (aaaaa) in the DNSKEY set. Automatic
re-signing is going on via the Kzone.+005+aaaaa.* files in
BIND's key-directory.

Add a new ZSK (bbbbb) to the DNSKEY set but do *not* put the
corresponding files in the key-directory. BIND creates the
TYPE65535 record for the new ZSK, and marks signing with it "done"
(presumably meaning "I did the best I could, as you didn't give
me the private key"). Re-signing with the old ZSK (aaaaa) continues
as required.

Wait long enough for all copies of the DNSKEY RRset without the
new ZSK to have disappeared.

Add the Kzone.+005+bbbbb files to the key-directory and more or
less simultaneously remove the Kzone.+005+aaaaa ones. As each RRset
comes up for re-signing, it gets signed with the new ZSK (bbbbb) only.

Wait long enough for all RRSIGs using the old ZSK (aaaaa) to have
reached their expiry date. All RRsets in the zone will have been
signed with the new ZSK (bbbbb) some time before that.

Remove the old ZSK (aaaaa) from the DNSKEY set. BIND finds there
aren't any RRSIGs using it any longer, and removes its TYPE65535
record.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk