ksk in a volume
niobos at dest-unreach.be
Thu Jun 16 07:31:59 UTC 2011
On 2011-06-15 15:51, Noel Rocha wrote:
> In this situation:
> - KSK signed ZSK(DNSKEY RR).
> - ZSK signing others RR of zone.
> I don't see reason for the KSK be present in operations unless
> add/delete RR DNSKEY.
I had the same idea roughly a year ago. And while you're right, it
doesn't change much in practice. I'll explain my case, and assume it
applies to you as well.
Since you allow dynamic updates, the ZSKs need to be online. I think we
can all agree on this.
In theory, you could still sign the ZSKs "manually" with the KSK once
not-too-often and keep the KSK offline in between. You believe this
makes your zone more secure.
However, I don't see any security-benefits in this scenario: If the
attacker gets hold of the credentials to update the zone dynamically, he
can do so in both cases (KSK online or offline). If your server is
compromised, he can add/remove records in both cases. In case of ZSK
compromise, you can generate&sign new ZSKs in both cases. In case of KSK
compromise, you generate new KSKs and upload them to the parent. The
only difference is that in the offline case, KSK compromise is a little
So in the end, I decided to leave my KSK online and have BIND
automatically perform ZSK rollovers for me (KSKs are needed for this,
although you could pre-calculate all needed RRSIGs during all stages of
the rollover if you really want to)
More information about the bind-users