KSK Rollovers
Here is the step-by-step guide to performing KSK Rollover on a per zone basis in DNSSEC.
Step 1 - Fetch the current DS and KSK values.
Use the API command StatusDNSZone to fetch the current DS and KSK values.
The important values are:
property[keydata][#] = (TEXT)
property[keydsdata sha256][#] = (TEXT)
property[status][#] = ready
Example
[COMMAND]
command = StatusDNSZone
dnszone = (TEXT)
EOFResponse
[RESPONSE]
code = (INTEGER)
description = (TEXT)
runtime = (INTEGER)
queuetime = (INTEGER)
property[active][#] = 0|1
property[dnssec ksk status][#] = SOURCE=RCODEZERO;Initial signing phase (waiting for ACK);The new keys are safe to be published in the parent zone. Please submit the DNSKEY/DS key to the parent zone and acknowledge the submission by pressing the 'Acknowledge' button.;1;Signed
property[dnssec zsk status][#] = SOURCE=RCODEZERO;ACTIVE=0|1;KEYID=(INTEGER);NEXTKEYEVENT=YYYY-MM-DDTHH:MM:SSZ
property[dnszone][#] = (TEXT)
property[keydata][#] = 257 3 13 ...
property[keydata][#] = 256 3 13 ...
property[keydsdata sha256][#] = 13 2 ...
property[premiumdnsset][#] = (TEXT)
property[signed][#] = 0|1
property[soaexpire][#] = (INTEGER)
property[soaminttl][#] = (INTEGER)
property[soamname][#] = (TEXT)
property[soarefresh][#] = (INTEGER)
property[soaretry][#] = (INTEGER)
property[soarname][#] = (TEXT)
property[soaserial][#] = (INTEGER)
property[soattl][#] = (INTEGER)
property[status][#] = ready
property[status][#] = active
property[type][#] = KSK
property[type][#] = ZSK
property[zonetype][#] = MASTER
EOF Step 2 - Verify Domain has the DS at the parent
Use a resolver to lookup the live DS value such as dig (https://linux.die.net/man/1/dig) -> dig <DOMAIN> DS
Step 3 - Add DS
This step can be skipped if the DS was found in the live DNS.
The API command ModifyDomain provides 2 ways of adding a DS to the domain, with 2 separate parameters.
Method 1 (our recommendation)
It is recommend to add the DS directly with the parameter AddDNSSECDSData0=.
With this method, the KSK is not generated (DS to KSK conversion is not possible).
Sometimes, the Registry takes the 257 KSK and creates a SHA-1 DS hash from it automatically. This is not recommended as per the RFCs. By adding only the DS, we can ensure that the Registry only has SHA-256 DS digests.
Example
[COMMAND]
command = ModifyDomain
domain = (TEXT)
ADDDNSSECDSDATA# = (TEXT)
EOFMethod 2
If you face issues with directly adding the DS, then please try adding the KSK.
By adding the 257 KSK with the parameter AddDNSSEC0=, the DS is automatically created from the KSK.
Example
[COMMAND]
command = ModifyDomain
domain = (TEXT)
ADDDNSSEC0 = (TEXT)
EOFStep 4 (Optional) - Acknowledge DS
To avoid queuing a rollover, perform this step to immediately initiate the rollover in KeyDNS.
This can be done by acknowledging the DS with the API command ModifyDNSZone and the parameter FinishKSKRollover.
(The next step is the rollover call and this also will automatically acknowledge the DS).
Example
[COMMAND]
command = ModifyDNSZone
dnszone = (TEXT)
FinishKSKRollover = 1
EOFStep 5 - Start Rollover
Using the API command ModifyDNSZone with the parameter rollover=KSK, the user will initiate the rollover or queue the rollover, if the previous step was skipped.
Example
[COMMAND]
command = ModifyDNSZone
dnszone = (TEXT)
rollover= KSKStep 6 (Optional) - Removal of old DNSSEC data
After a successful rollover, old DNSSEC data can be removed.
Steps:
- Use the API command StatusDomain to find the current DNSSEC data that KeyDNS holds.
- Use the API command StatusDNSZone to compare the responses, find the old DS and the old DNSKey if it is present.
- Use the API command ModifyDomain with the parameter DelDNSSECDSData0= to remove the old DS and the parameter DelDNSSEC0= to remove the old DNSKey (if it is present).