[nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation

Michael A. Peters mpeters at domblogger.net
Thu Feb 15 17:23:02 UTC 2018

It takes time to replace the KSK and you have to know it was 
compromised. ZSK is easy but ZSK should be 1024-bit to keep DNS 
responses small, which means it should be rotated fairly often. I do 
once a week (on Sunday) but I believe the recommended is once a month.

Having a separate signing machine is not required, but it is better 
policy, nameservers have a history being exploitable (especially BIND) 
and if your signing keys are in the wild, you are vulnerable until they 
expire. Or rather, users trusting your DNS responses are vulnerable.

This is particularly dangerous if you use DANE to verify TLS 
certificates for SMTP where certificate authorities are almost never 
even checked by the connecting SMTP server.

On 02/15/2018 05:13 AM, Sebastian Nielsen wrote:
> I don't agree. If your KSK/ZSK gets on the wild, its easy to replace them at
> the registrar.
> I never rotate my ZSK aswell, I just resign them with a future date (with
> the same script that renews my Lets Encrypt certificates)
> Having a separate signing machine, HSM or similiar security is only required
> if you have certain registrar flags that prevents changing of the DNSSEC
> keys from the registrar web admin. (these flags are set for high value
> domains like paypal.com etc requiring these domains to be updated through
> manual means)
> -----Ursprungligt meddelande-----
> Från: nsd-users [mailto:nsd-users-bounces at NLnetLabs.nl] För Michael A.
> Peters
> Skickat: den 15 februari 2018 13:54
> Till: nsd-users at NLnetLabs.nl
> Ämne: Re: [nsd-users] NSD and DNSSEC signature refreshing and ZSK rotation
> On 02/14/2018 05:02 PM, Jasper Wallace wrote:
>> Hi,
>> When NSD serves a signed zone will it also re-sign it and rotate ZSK's as
>> needed? Or do you have to use e.g. OpenDNSSEC to handle it?
> NSD only serves the zone file. The entries in the zone file have to be
> signed and uploaded to your authoritative name server.
> Also, even though it is commonly done, you should NOT have your ksk /
> zsk private keys on your authoritative nameserver.
> You should have a signing machine that only has an ssh port open that
> signs your zone files before sending them to NSD to be served.
> If your signing keys are stolen then DNSSEC does not offer much
> protection, so they should be heavily guarded.
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> https://open.nlnetlabs.nl/mailman/listinfo/nsd-users

More information about the nsd-users mailing list