problem registering DS records with EDUCAUSE, sanity check please

Tue Jul 15 02:14:57 UTC 2014

> From: Mark Andrews
> Sent: Monday, July 14, 2014 6:33 PM
>
> For a DS to *work* it needs to point to a key that signs the DNSKEY
> RRset.  Validators check that the signature exists.  Activating the
> key will add 1 signature to the zone.

Let me preface this reply by indicating that I am far from a dnssec expert
:), I researched it to some reasonable extent five odd years ago when we
converted our infrastructure to use it, but it's more than possible I
misunderstood something.

That said, I assume when you say to "work", you mean for that KSK to be part
of the trust path for a client to validate a given record. In which case,
it's not my intent at this time for that KSK to "work", only to publish it,
and have a valid DS record in place, such that it could work in the future.
When it's time to roll over, it will be activated and used for signing, and
clients will immediately be happy with it because the valid DS record is in
place. Until it's time for it to be activated, due to scheduled rollover or
emergency rollover due to key compromise, the secret key for that KSK could
theoretically sit in a locked safe far away from any networked system (not
that we actually do that, but it would be possible). If it were activated,
it would be in use; why would I want two active KSKs (unless, I suppose, I
was using the double signature method of rollover)? Keys have a publish time
separate from the activation time, your advice seems to be always make them
the same? Unless I misunderstood key rollover strategies and mechanisms,
there is nothing wrong with having a published key that is not actually
being used to sign anything yet.

> Not activating it increases the risk of shooting your self in the
> foot in the future which, presumable, EDUCAUSE is trying to prevent.
> If you were to disable the current key without first activating the
> new key and allowing the old DNSKEY RRset to clear caches you would
> end up with a broken secure delegation

Well, yes, if I were to do something stupid bad things would happen ;). I
could just stop publishing any DNSKEY records, leave dangling DS records in
the parent, and be completely broken. The publication and activation is
controlled by our fully automated (barring manual parent  DS record
maintenance) dnssec key rollover mechanism, so I'm not particularly worried
about shooting myself in the foot :).

I also don't think this is what educause is doing, as I haven't had any
trouble entering DS records for published but not activated KSK's in the
past, and I assume a change such as this would have come up in our existing
technical support interaction regarding what they might have changed about
the system since last year.

Thanks.