DNSSEC Operational Practices
RFC 4641
Document | Type |
RFC - Informational
(September 2006; Errata)
Obsoleted by RFC 6781
Obsoletes RFC 2541
|
|
---|---|---|---|
Last updated | 2018-12-20 | ||
Stream | IETF | ||
Formats | plain text html pdf htmlized with errata bibtex | ||
Stream | WG state | (None) | |
Document shepherd | No shepherd assigned | ||
IESG | IESG state | RFC 4641 (Informational) | |
Consensus Boilerplate | Unknown | ||
Telechat date | |||
Responsible AD | David Kessens | ||
Send notices to | sra@hactrn.net, sra@isc.org, pk@DENIC.DE |
Network Working Group O. Kolkman Request for Comments: 4641 R. Gieben Obsoletes: 2541 NLnet Labs Category: Informational September 2006 DNSSEC Operational Practices Status of This Memo This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited. Copyright Notice Copyright (C) The Internet Society (2006). Abstract This document describes a set of practices for operating the DNS with security extensions (DNSSEC). The target audience is zone administrators deploying DNSSEC. The document discusses operational aspects of using keys and signatures in the DNS. It discusses issues of key generation, key storage, signature generation, key rollover, and related policies. This document obsoletes RFC 2541, as it covers more operational ground and gives more up-to-date requirements with respect to key sizes and the new DNSSEC specification. Kolkman & Gieben Informational [Page 1] RFC 4641 DNSSEC Operational Practices September 2006 Table of Contents 1. Introduction ....................................................3 1.1. The Use of the Term 'key' ..................................4 1.2. Time Definitions ...........................................4 2. Keeping the Chain of Trust Intact ...............................5 3. Keys Generation and Storage .....................................6 3.1. Zone and Key Signing Keys ..................................6 3.1.1. Motivations for the KSK and ZSK Separation ..........6 3.1.2. KSKs for High-Level Zones ...........................7 3.2. Key Generation .............................................8 3.3. Key Effectivity Period .....................................8 3.4. Key Algorithm ..............................................9 3.5. Key Sizes ..................................................9 3.6. Private Key Storage .......................................11 4. Signature Generation, Key Rollover, and Related Policies .......12 4.1. Time in DNSSEC ............................................12 4.1.1. Time Considerations ................................12 4.2. Key Rollovers .............................................14 4.2.1. Zone Signing Key Rollovers .........................14 4.2.1.1. Pre-Publish Key Rollover ..................15 4.2.1.2. Double Signature Zone Signing Key Rollover ..................................17 4.2.1.3. Pros and Cons of the Schemes ..............18 4.2.2. Key Signing Key Rollovers ..........................18 4.2.3. Difference Between ZSK and KSK Rollovers ...........20 4.2.4. Automated Key Rollovers ............................21 4.3. Planning for Emergency Key Rollover .......................21 4.3.1. KSK Compromise .....................................22 4.3.1.1. Keeping the Chain of Trust Intact .........22 4.3.1.2. Breaking the Chain of Trust ...............23 4.3.2. ZSK Compromise .....................................23 4.3.3. Compromises of Keys Anchored in Resolvers ..........24 4.4. Parental Policies .........................................24 4.4.1. Initial Key Exchanges and Parental Policies Considerations .....................................24 4.4.2. Storing Keys or Hashes? ............................25 4.4.3. Security Lameness ..................................25 4.4.4. DS Signature Validity Period .......................26 5. Security Considerations ........................................26 6. Acknowledgments ................................................26 7. References .....................................................27 7.1. Normative References ......................................27 7.2. Informative References ....................................28 Appendix A. Terminology ...........................................30 Appendix B. Zone Signing Key Rollover How-To ......................31 Appendix C. Typographic Conventions ...............................32 Kolkman & Gieben Informational [Page 2] RFC 4641 DNSSEC Operational Practices September 2006 1. Introduction This document describes how to run a DNS Security (DNSSEC)-enabled environment. It is intended for operators who have knowledge of the DNS (see RFC 1034 [1] and RFC 1035 [2]) and want to deploy DNSSEC.Show full document text