06-22-2016 10:26 PM
We have several DNSSec Domains. we have to renew the trust anchors every month for our domains and have to send them to our Registrar.
Is there a way to automatically generate the Trust anchors, export them and send them to a specific mail account - so I only have to forward them to our Domain registrar?
thx for your support
Solved! Go to Solution.
06-23-2016 11:31 AM
Just to make sure I understand, you are required to roll your key signing key (KSK) every month?
NIST guidance is 1-2 years for the KSK and 1-3 months for the zone signing key (ZSK).
I could understand rolling your ZSK that often but rolling the KSK (depending on your DNSKEY and RRSIG TTLs) could be detrimental to your zone and sanity. There is no need for your registrar to sign or otherwise inspect your ZSKs.
06-23-2016 11:36 AM
you can at least get the public keys via the WAPI:
But as Don says, rolling them every 30 days seems odd.
06-24-2016 04:03 AM - edited 06-24-2016 04:05 AM
No you don't send the ZSK to the registrar, you generate a DS record for each KSK and then send that to your registrar. You only need to do that when you roll the KSK, which should be every year or 2. You shouldn't need to do it monthly, that is probably a bit excessive.
You can roll the ZSK monthly if you want but you don't need to send anything to your registrar.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE