[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation

Sebastian Nielsen sebastian at sebbe.eu
Thu Feb 15 13:13:35 UTC 2018

I don't agree. If your KSK/ZSK gets on the wild, its easy to replace them at
the registrar.
I never rotate my ZSK aswell, I just resign them with a future date (with
the same script that renews my Lets Encrypt certificates)

Having a separate signing machine, HSM or similiar security is only required
if you have certain registrar flags that prevents changing of the DNSSEC
keys from the registrar web admin. (these flags are set for high value
domains like paypal.com etc requiring these domains to be updated through
manual means)

-----Ursprungligt meddelande-----
Från: nsd-users [mailto:nsd-users-bounces at NLnetLabs.nl] För Michael A.
Skickat: den 15 februari 2018 13:54
Till: nsd-users at NLnetLabs.nl
Ämne: Re: [nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation

On 02/14/2018 05:02 PM, Jasper Wallace wrote:
> Hi,
> When NSD serves a signed zone will it also re-sign it and rotate ZSK's as
> needed? Or do you have to use e.g. OpenDNSSEC to handle it?

NSD only serves the zone file. The entries in the zone file have to be 
signed and uploaded to your authoritative name server.

Also, even though it is commonly done, you should NOT have your ksk / 
zsk private keys on your authoritative nameserver.

You should have a signing machine that only has an ssh port open that 
signs your zone files before sending them to NSD to be served.

If your signing keys are stolen then DNSSEC does not offer much 
protection, so they should be heavily guarded.
nsd-users mailing list
nsd-users at NLnetLabs.nl

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5261 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20180215/90002318/attachment.bin>

More information about the nsd-users mailing list