2021-07-03
Trying a DNSSEC zone signing key (ZSK) rollover
Time to do a zone signing key (ZSK) rollover. That rollover is relatively easy because I don't need to synchronize it with the DS key in the parent zone. I generated a 'successor' key for camp-wireless.com and set a short-notice publication date. The old ZSK has keytag 02908 and the new one has keytag 25619. There is an overlap of a month in which both keys are seen as valid because caching of DNS answers mean there can be signatures created with the old ZSK in caches. Generating a signed zone after the validity of the new ZSK has started shows both ZSKs signed as valid. Old and new zone signing key:; This is a zone-signing key, keyid 2908, for camp-wireless.com. ; Created: 20190704113915 (Thu Jul 4 13:39:15 2019) ; Publish: 20190704113915 (Thu Jul 4 13:39:15 2019) ; Activate: 20190704113915 (Thu Jul 4 13:39:15 2019) ; Inactive: 20210705000000 (Mon Jul 5 02:00:00 2021) ; Delete: 20210805000000 (Thu Aug 5 02:00:00 2021) camp-wireless.com. IN DNSKEY 256 3 13 lXntnbvQqHy+OSG/2RpHEbcYzeUAB2tFE+d5Us9M07Ndw7TI2DF2TIDx vC3bPomCE2102FJSr8/DnzoRiMHreg== ; This is a zone-signing key, keyid 25619, for camp-wireless.com. ; Created: 20210702115321 (Fri Jul 2 13:53:21 2021) ; Publish: 20210703000000 (Sat Jul 3 02:00:00 2021) ; Activate: 20210705000000 (Mon Jul 5 02:00:00 2021) camp-wireless.com. IN DNSKEY 256 3 13 kJpmrljuP7PncZij7G1Yn9xngKe1xUpuONG2XAx8AYXu//qXClAbgg3B bmzyeDpFAw2gDRhjQ7f5o20c1QK9OA==So I generated the key on 2 July 2021, with a set publication date of 3 July 2021. I shortened the prepublication period to avoid problems with other things happening in the near future and today it changed to published. If I generate new signatures again on 5 July 2021 those will use the new key. DNSSEC is a process with lots of things to get your brains around, and a key rollover is one of those things. A key signing key rollover is even harder because uploading of the public key to the registrar has to be kept synchronized with the published information. That is why I am testing all this on camp-wireless.com where it is not a major problem if something fails. Reports at dnsviz of the changeover:And yes there are warnings for the delegation from the hashing algorithm used for the DS record in the .com zone. I checked with my registrar and they are aware of the fact that SHA-1 records give warnings and are working on upgrading to SHA-256.
- dnsviz for camp-wireless.com 2021-07-02 11:34:22 UTC only ZSK 02908 is visible, everything is signed with 02908
- dnsviz for camp-wireless.com 2021-07-03 17:51:32 UTC both ZSK 02908 and 25619 are visible and valid, everything is signed with 02908. Key 25619 has changed to published but not activated.
- dnsviz for camp-wireless.com 2021-07-05 17:52:40 UTC I ran dnsviz shortly after updating the zone on purpose. Some records are signed with ZSK 25619, some with ZSK 02908 and some with both, which probably means they came from different nameservers. This means the rollover is working: every signature has a working trust path.
- dnsviz for camp-wireless.com 2021-07-13 07:09:13 UTC a scheduled 'check zone for needing signature updates' happened and I had to check the results. There is an error for the MX record because it has a signature with the old ZSK that will expire soon but is still available from the authoritive servers. For as far as I can see this is not a real problem. In the masterfile there is both the old signature (via the old ZSK) and the new signature (via the new ZSK).
- dnsviz for camp-wireless.com 2021-07-14 06:31:08 UTC Another 'check zone for needed updates' happened and now I see the MX record only signed with the new ZSK.
- dnsviz for camp-wireless.com 2021-07-16 14:29:45 UTC Stable situation at the moment.
- dnsviz for camp-wireless.com 2021-07-25 20:43:25 UTC I'm somewhat surprised the old keys are still in use.
- dnsviz for camp-wireless.com 2021-08-21 09:46:42 UTC Old keys gone. I don't understand the source of "Original TTL of RRSIG covering camp-wireless.com NSEC3PARAM" being 0.