ksk in a volume

Niobos niobos at dest-unreach.be
Thu Jun 16 07:31:59 UTC 2011

On 2011-06-15 15:51, Noel Rocha wrote:
> In this situation:
> - KSK signed ZSK(DNSKEY RR).
> - ZSK signing others RR of zone.
> I don't see reason for the KSK be present in operations unless
> add/delete RR DNSKEY.
I had the same idea roughly a year ago. And while you're right, it 
doesn't change much in practice. I'll explain my case, and assume it 
applies to you as well.

Since you allow dynamic updates, the ZSKs need to be online. I think we 
can all agree on this.
In theory, you could still sign the ZSKs "manually" with the KSK once 
not-too-often and keep the KSK offline in between. You believe this 
makes your zone more secure.

However, I don't see any security-benefits in this scenario: If the 
attacker gets hold of the credentials to update the zone dynamically, he 
can do so in both cases (KSK online or offline). If your server is 
compromised, he can add/remove records in both cases. In case of ZSK 
compromise, you can generate&sign new ZSKs in both cases. In case of KSK 
compromise, you generate new KSKs and upload them to the parent. The 
only difference is that in the offline case, KSK compromise is a little 
less likely.

So in the end, I decided to leave my KSK online and have BIND 
automatically perform ZSK rollovers for me (KSKs are needed for this, 
although you could pre-calculate all needed RRSIGs during all stages of 
the rollover if you really want to)


More information about the bind-users mailing list