Now Available - Forrester's Total Economic Impact study. Discover millions in cost savings, unlock IT efficiency gains, and explore why NIOS DDI is a game changer. Get Your Copy here.

NIOS DNS DHCP IPAM

Reply

DNSSEC - KSK Rollover

[ Edited ]
shreevar
New Member
Posts: 1

‎10-24-2021 05:05 PM - edited ‎10-24-2021 08:19 PM

1447     1

Hello,

 

I have a DNSSEC singed zone with the default KSK Rollover period of 1 year. I want to know what happens after 1 year when the rollover period expires naturally.

 

I understand that a new KSK key pair gets generated and the DNSKEY record set is signed with it and since Double-Sign method is used the old KSK is also valid until the grace period. 

 

So what is the grace period when the KSK expires naturally? 

 

If its half the rollover period i.e 182.5 days then do I have this much time to update the registrar with the new DS record? 

 

Once the new DS record has been updated at the registar I wait for the TTL and then remove the old DS record. Then again wait for the TTL to expire and then remove the old KSK from the zone? Is this the correct way to perform a seamless rollover?

 

Thank you.

Labels:
Reply

Re: DNSSEC - KSK Rollover
jmcnutt
New Member
Posts: 1

3 weeks ago

1448     1

Giving this thread a bump, as I have the exact same questions and I am working on deploying DNSSEC on several of our zones.

Reply
0 Kudos

Re: DNSSEC - KSK Rollover

[ Edited ]
dotax
Authority
Posts: 9

3 weeks ago - last edited 3 weeks ago

1448     1

I am currently testing on this in my lab according to manual that supplied by Infoblox. https://insights.infoblox.com/resources-deployment-guides/infoblox-deployment-guide-dnssec

 

What i noticed if KSK expired (assuming after 365 days), the entire signed zones will become BOGUS. You should be able to noticed the validity of your DNSSEC record through dig www.example.com +dnssec

www.example.com. 300 IN RRSIG A 8 3 300 20231116065751(valid before) 20231114055751(valid after)

 

Just to share the below link for more reads-up

https://pi-hole.net/blog/2021/12/12/understanding-dnssec-validation-using-pi-holes-query-log/#page-c...

Reply
0 Kudos
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Latest Annoucements

Infoblox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community