Ticket #481 (new enhancement)

Opened 13 months ago

Last modified 7 months ago

Seperating KSK and ZSK to prevent compromise of KSK

Reported by: anon Owned by: ahu
Priority: normal Milestone:
Component: auth Version: 3.2
Severity: normal Keywords:
Cc:

Description

As the KSK in terms records is just 2 records, the DNSKEY-record for the public key part of the KSK and the RRSIG over all the DNSKEY-records.

If the RRSIG is added to the records-table, than the KSK private key does not have to be stored with the rest of the key material for other operations than changing keys.

The KSK private key could be kept in the filesystem, a HSM or not be replicated when using a database as in hidden master-like setup or offline.

It might not work with presigned because of ordering, but with presigned you might as well not even keep the cryptokeys table in the database.

It should work in theory with something like NSEC3-narrow.

I'm not sure about the other modes of DNSSEC operation PowerDNS supports.

Change History

Changed 13 months ago by anon

  • owner changed from somebody to ahu
  • component changed from component1 to auth

Changed 13 months ago by anon

Just to clarify:

The reason why the KSK is important is because if you have hundreds or thousands of singed zones you'll be happy you don't have to communicate all the new KSKs to the parent zones when your database is compromised. Even if it is automated.

Changed 9 months ago by peter

  • version set to 3.1

Changed 7 months ago by peter

  • version changed from 3.1 to 3.2
Note: See TracTickets for help on using tickets.