Skip to content

[ISC-support #22100] Offline KSK

Implement offline key support.

This will require signatures for DNSKEY, CDS, and CDNSKEY RRsets to be generated in advance. This is done with a Key Signing Request (KSR). On the system with the KSK provide the KSR and ask to create signed RRsets for each period (resulting in Signed Key Responses (SKR)).

This also means that DNSKEY records for the ZSK need to be pregenerated, because ZSK rollovers may take place while the KSK is offline.

This also means that "Offline KSK" does not work in conjunction with a CSK because we need to resign the zone contents periodically.

Pregenerating keys can be done with dnssec-keygen, or some other method. But we need to provide a dnssec-policy and a duration for how long a period we need to create SKRs. For example if you have a policy where ZSKs are rolled every 3 months, and you want to keep the KSK offline for a year, the key generation utility should create 4 keys. The keys should have additional metadata that sets Predecessor and Successor key metadata and/or set the Published and Remove timing metadata.

We need to load the SKR files. Probably import it before hand with rndc reconfig or rndc import skr or something. Then when BIND decides to rekey it needs to lookup the correct DNSKEY, CDNSKEY, and CDS records from the SKR sign, and when BIND decides to resign it needs to lookup the signatures from the same SKR data.

When BIND starts a new key rollover, it should select the right key. This is determined by the metadata. The new keyset must match the SKR data.

If the dnssec-policy changes, the KSR process needs to be done again and the new SKR files should be imported.

So the following changes to the code and documentation need to be made:

  • Create a tool dnssec-ksr for dealing with KSRs (!8188 (merged))
  • Add an option to dnssec-ksr to generate keys given an interval and a DNSSEC policy (!8188 (merged))
  • Add an option to dnssec-ksr to create KSR files given an interval, a DNSSEC policy, and some keys (!8188 (merged))
  • Add an option to dnssec-ksr to sign KSR files, generating SKR files to be imported into BIND (!8188 (merged))
  • Create signed CDS and CDNSKEY RRsets in the SKR files (!8188 (merged))
  • Add a command line option for rndc to import a SKR file or directory (!9119 (merged))
  • When rekeying, make sure that the DNSKEY, CDNSKEY, and CDS records match the SKR data (!9119 (merged))
  • When resigning, lookup the signature in the SKR data rather than trying to generate a new signature (!9119 (merged))
  • Add a checkconf check that Offline KSK cannot work with CSK (!9119 (merged))
  • Add documentation about Offline KSK to the ARM and DNSSEC guide (!9119 (merged))
Edited by Matthijs Mekking
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information