We are in the process of planning a DNSSEC deployment.
The administrator guide is not very clear about the KSK rollover procedure specifically about if it is possible to have a zone signed by more than one key at a time.
In order for a seamless transition to occur for people trying to resolve our domain(s) it seems it is necessary to have a zone signed by the old key and the new key at the same time. After that the new DS record is added to the parent zone (and the old one is kept there as well). After the TTL has expired on the old DS record (at this point all possible resolvers out there on the internet should have gotten a copy of our zone(s) that are now signed by both (old and new) keys). At this point it would be safe to remove the old key from our zone(s) and to remove the corresponding DS record from the parent zone.
Eventually once the TTL expires again everyone on the internet will only have copies with the new key.
I’ve seen documentation that is possible when using BIND, but it is unclear how this works on Infoblox.
There is just the button ‘roll KSK over’ what does this do? Does it keep the old DS record until the TTL expires automatically? Does it resign the zone with the new key and get rid of the old key immediately?
Thanks for any insight you can provide me with.
And feel free to correct me on the concepts I have talked about as I am still in the research phase of this project and I could very well not know what I am talking about.
05-31-2013 09:50 AM
We support KSK rollovers as described in RFC 4641, which includes having two KSKs in the zone for some period of time. We even handle KSK rollovers when we're authoritative for both parent and child zone, updating the DS RRs in the parent zone.
The one manual portion of the process is submission of your new DS RR to your parent and subsequent deletion of the old DS RR if we don't manage the parent zone. There's no standard yet for doing that, so you'll have to figure out how your registrar handles it.