is TSIG key rollover possible?

Mark Andrews marka at isc.org
Wed Sep 16 05:39:52 UTC 2009 

In message <4AB072DC.2070102 at nzrs.net.nz>, Sebastian Castro writes:
> Hi everyone:
> 
> I was reading the document "Deprecation of HMAC-MD5 in DNS TSIG and TKEY
> Resource Records"
> (http://www.ietf.org/id/draft-ietf-dnsext-tsig-md5-deprecated-03.txt)
> and I thought "Darn, I must be prepared to do a TSIG renovation", so
> started researching how to do it.
> 
> First step was checking if BIND supported a different algorithm, but the
> BIND ARM for BIND9.5 and 9.6 indicates "The algorithm, hmac-md5, is the
> only one supported by BIND". That seemed strange, considering the
> document indicated above was originally proposed in 2008. So I "used the
> source" and found out other algorithms are supported in 9.5 and 9.6, so
> there is a mistake in the documentation.
> 
> Anyway, TSIG rollover is an operation needed as indicated on RFC 2385:
> 
> -------------------- RFC 2385 quote -----------------------------
> 6.2. Secret keys should be changed periodically.  If the client host
>    has been compromised, the server should suspend the use of all
>    secrets known to that client.  If possible, secrets should be stored
>    in encrypted form.  Secrets should never be transmitted in the clear
>    over any network.  This document does not address the issue on how to
>    distribute secrets. Secrets should never be shared by more than two
>    entities.
> -------------------- RFC 2385 quote -----------------------------
> 
> but again the documentation indicates: "Multiple keys may be present,
> but only the first is used."

Which only applies to control channels keys.
 
> So, to coordinate the retirement of an old TSIG key and the introduction
> of a new one, it seems a close coordination between peers is needed in
> order to make it work, within a 'maintenance window' where the
> operations using the TSIG are not executed (in my particular interest,
> zone transfers)? Is it not possible to gradually introduce a new key,
> use both for a period of time and later retire the old one, similar to
> what is done in DNSSEC?
>
> Any experience on this matter that could be shared publicly or privately
> will be appreciated.
> 
> Kind Regards
> Sebastian Castro
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list