DNSSEC Operational Practices
RFC 4641
Document Type RFC - Informational (September 2006; Errata)
Obsoleted by RFC 6781
Obsoletes RFC 2541
Last updated 2020-01-21
Stream IETF
Formats plain text html pdf htmlized with errata bibtex
Stream WG state (None)
Document shepherd No shepherd assigned
IESG IESG state RFC 4641 (Informational)
Consensus Boilerplate Unknown
Telechat date
Responsible AD David Kessens
Send notices to sra@hactrn.net, sra@isc.org, pk@DENIC.DE
Email authors Email WG IPR References Referenced by Nits 
Network Working Group                                         O. Kolkman
Request for Comments: 4641                                     R. Gieben
Obsoletes: 2541                                               NLnet Labs
Category: Informational                                   September 2006

                      DNSSEC Operational Practices

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes a set of practices for operating the DNS with
   security extensions (DNSSEC).  The target audience is zone
   administrators deploying DNSSEC.

   The document discusses operational aspects of using keys and
   signatures in the DNS.  It discusses issues of key generation, key
   storage, signature generation, key rollover, and related policies.

   This document obsoletes RFC 2541, as it covers more operational
   ground and gives more up-to-date requirements with respect to key
   sizes and the new DNSSEC specification.

Kolkman & Gieben             Informational                      [Page 1]
RFC 4641              DNSSEC Operational Practices        September 2006

Table of Contents

   1. Introduction ....................................................3
      1.1. The Use of the Term 'key' ..................................4
      1.2. Time Definitions ...........................................4
   2. Keeping the Chain of Trust Intact ...............................5
   3. Keys Generation and Storage .....................................6
      3.1. Zone and Key Signing Keys ..................................6
           3.1.1. Motivations for the KSK and ZSK Separation ..........6
           3.1.2. KSKs for High-Level Zones ...........................7
      3.2. Key Generation .............................................8
      3.3. Key Effectivity Period .....................................8
      3.4. Key Algorithm ..............................................9
      3.5. Key Sizes ..................................................9
      3.6. Private Key Storage .......................................11
   4. Signature Generation, Key Rollover, and Related Policies .......12
      4.1. Time in DNSSEC ............................................12
           4.1.1. Time Considerations ................................12
      4.2. Key Rollovers .............................................14
           4.2.1. Zone Signing Key Rollovers .........................14
                  4.2.1.1. Pre-Publish Key Rollover ..................15
                  4.2.1.2. Double Signature Zone Signing Key
                           Rollover ..................................17
                  4.2.1.3. Pros and Cons of the Schemes ..............18
           4.2.2. Key Signing Key Rollovers ..........................18
           4.2.3. Difference Between ZSK and KSK Rollovers ...........20
           4.2.4. Automated Key Rollovers ............................21
      4.3. Planning for Emergency Key Rollover .......................21
           4.3.1. KSK Compromise .....................................22
                  4.3.1.1. Keeping the Chain of Trust Intact .........22
                  4.3.1.2. Breaking the Chain of Trust ...............23
           4.3.2. ZSK Compromise .....................................23
           4.3.3. Compromises of Keys Anchored in Resolvers ..........24
      4.4. Parental Policies .........................................24
           4.4.1. Initial Key Exchanges and Parental Policies
                  Considerations .....................................24
           4.4.2. Storing Keys or Hashes? ............................25
           4.4.3. Security Lameness ..................................25
           4.4.4. DS Signature Validity Period .......................26
   5. Security Considerations ........................................26
   6. Acknowledgments ................................................26
   7. References .....................................................27
      7.1. Normative References ......................................27
      7.2. Informative References ....................................28
   Appendix A. Terminology ...........................................30
   Appendix B. Zone Signing Key Rollover How-To ......................31
   Appendix C. Typographic Conventions ...............................32

Kolkman & Gieben             Informational                      [Page 2]
RFC 4641              DNSSEC Operational Practices        September 2006

1.  Introduction

   This document describes how to run a DNS Security (DNSSEC)-enabled
   environment.  It is intended for operators who have knowledge of the
   DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.
Show full document text
RFC Editor IASA & IETF LLC IETF Trust IRTF IETF IESG IAB IANA Privacy Statement IETF Tools