- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
DNSSEC - KSK Rollover
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-24-2021 05:05 PM - edited 10-24-2021 08:19 PM
Hello,
I have a DNSSEC singed zone with the default KSK Rollover period of 1 year. I want to know what happens after 1 year when the rollover period expires naturally.
I understand that a new KSK key pair gets generated and the DNSKEY record set is signed with it and since Double-Sign method is used the old KSK is also valid until the grace period.
So what is the grace period when the KSK expires naturally?
If its half the rollover period i.e 182.5 days then do I have this much time to update the registrar with the new DS record?
Once the new DS record has been updated at the registar I wait for the TTL and then remove the old DS record. Then again wait for the TTL to expire and then remove the old KSK from the zone? Is this the correct way to perform a seamless rollover?
Thank you.
Re: DNSSEC - KSK Rollover
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-13-2023 09:23 AM
Giving this thread a bump, as I have the exact same questions and I am working on deploying DNSSEC on several of our zones.
Re: DNSSEC - KSK Rollover
[ Edited ]- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-14-2023 12:36 AM - edited 11-14-2023 12:38 AM
I am currently testing on this in my lab according to manual that supplied by Infoblox. https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-dnssec
What i noticed if KSK expired (assuming after 365 days), the entire signed zones will become BOGUS. You should be able to noticed the validity of your DNSSEC record through dig www.example.com +dnssec
www.example.com. 300 IN RRSIG A 8 3 300 20231116065751(valid before) 20231114055751(valid after)
Just to share the below link for more reads-up
Re: DNSSEC - KSK Rollover
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2024 11:27 PM
Same question here.
Re: DNSSEC - KSK Rollover
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-09-2024 01:13 AM
If the ‘enable automatic KSK rollover’ is enabled, the KSK key will be rolled automatically but you still need to update the parent zone by exporting the DS key to the registrar.
The rolled key is valid for half the rollover interval. If the rollover period is set to 1y, than the rolled key is valid for 6 months.
So publishing the new KSK key must be done within this period. Keep an eye on the TTL of the zone and don’t wait for the last day to avoid a bogus domain.
Deleting the rolled key at the registrar (after publishing the new one) can be done after publishing the new one but you should wait because cached records.
You can delete the record a week or a month later to be on the safe side.
Deleting the old key in your grid is done by NIOS.
Re: DNSSEC - KSK Rollover
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2024 01:31 AM
Hi All,
Is there any API code available for doing KSK Rollover for bulk domains?
Regards
Rahul
Re: DNSSEC - KSK Rollover
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-22-2024 04:43 AM
I found the answer to my question. Using below function and operation string we can script ksk rollover via api.
https://ipam.illinois.edu/wapidoc/objects/zone_auth.html?highlight=dnssec_operation#dnssec-operation
dnssec_operation
This function performs DNSSEC operations on the zone.
This function does not support multiple object matches when called as part of an atomic insertion operation.
Input fields
buffer ( String. ) This field contains the imported KSK or DS record. The value must be a KSK or DS record, and it must belong to an immediate subzone of the zone to which the record is being imported. For more information, refer to the “DS Resource Records” section in the Infoblox NIOS Administrator Guide.”
operation ( String. Valid values are: “IMPORT_DS”, “ROLLOVER_KSK”, “SIGN”, “UNSIGN”, “ROLLOVER_ZSK”, “RESIGN” ). This parameter is mandatory. The DNSSEC operation to perform. When importing a keyset via “IMPORT_DS” the buffer field is mandatory; otherwise, it is ignored.
Regards
Rahul
Re: DNSSEC - KSK Rollover
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
3 weeks ago
hi mvpaasen,
Sorry to ask, i believed you mean the KSK rollover period is set to 1 year under here (red highlighted) , am i right?
Next, may i understand are you mean that,
1) for next KSK rollover, the older roll key is still valid for 6 months before its Key ID was removed from infoblox automatically right?
2) when you mean "publishing new KSK key", are you mean export the DS record and upload to DNS registrar must be done within this 6 month?