Reply

DNSSec Automatic Trust Anchor Export

Techie
Posts: 6
4846     0

Hi,

 

We have several DNSSec Domains. we have to renew the trust anchors every month for our domains and have to send them to our Registrar.

Is there a way to automatically generate the Trust anchors, export them and send them to a specific mail account - so I only have to forward them to our Domain registrar?

 

thx for your support

 

Re: DNSSec Automatic Trust Anchor Export

Authority
Posts: 46
4846     0

Just to make sure I understand, you are required to roll your key signing key (KSK) every month?  

 

NIST guidance is 1-2 years for the KSK and 1-3 months for the zone signing key (ZSK).

 

I could understand rolling your ZSK that often but rolling the KSK (depending on your DNSKEY and RRSIG TTLs) could be detrimental to your zone and sanity.  There is no need for your registrar to sign or otherwise inspect your ZSKs.

 

Thanks,

Re: DNSSec Automatic Trust Anchor Export

Community Manager
Community Manager
Posts: 248
4847     0

you can at least get the public keys via the WAPI:

 

/wapi/v2.3/zone_auth?fqdn=acme.com&_return_fields%2B=dnssec_keys

 

But as Don says, rolling them every 30 days seems odd.

Re: DNSSec Automatic Trust Anchor Export

Authority
Posts: 46
4847     0

PAPI for the same info would be: my $zone_keys = $zone->dnssec_keys();

 

Re: DNSSec Automatic Trust Anchor Export

Techie
Posts: 6
4847     0

HI,

 

Yes I mean the ZEK - that I have to send to the registrar... Smiley Happy

Re: DNSSec Automatic Trust Anchor Export

[ Edited ]
Expert
Posts: 323
4847     0

No you don't send the ZSK to the registrar, you generate a DS record for each KSK and then send that to your registrar. You only need to do that when you roll the KSK, which should be every year or 2. You shouldn't need to do it monthly, that is probably a bit excessive.

 

You can roll the ZSK monthly if you want but you don't need to send anything to your registrar.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Showing results for 
Search instead for 
Did you mean: 

Recommended for You