Commit 746b24ee authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

ksk rollover: manual

parent 14e414b1
......@@ -274,7 +274,7 @@ Automatic DNSSEC signing
Knot DNS supports automatic DNSSEC signing for static zones. The signing
can operate in two modes:
1. :ref:`Automatic key management <dnssec-automatic-key-management>`.
1. :ref:`Automatic key management <dnssec-automatic-zsk-management>`.
In this mode, the server maintains signing keys. New keys are generated
according to assigned policy and are rolled automatically in a safe manner.
No zone operator intervention is necessary.
......@@ -296,12 +296,12 @@ by LMDB.
the database also contains private key material – don't set the permissions
too week.
.. _dnssec-automatic-key-management:
.. _dnssec-automatic-zsk-management:
Automatic key management
Automatic ZSK management
------------------------
For automatic key management, a signing policy has to be configured and
For automatic ZSK management, a signing policy has to be configured and
assigned to the zone. The policy specifies how the zone is signed (i.e. signing
algorithm, key size, key lifetime, signature lifetime, etc.). The policy can
be configured in the :ref:`policy section <Policy section>`, or a ``default``
......@@ -344,6 +344,37 @@ the server logs to see whether everything went well.
match the algorithm of all imported keys. Otherwise the zone will be resigned
at all.
.. _dnssec-automatic-ksk-management:
Automatic KSK management
------------------------
For automatic KSK management, first configure ZSK management like above, and use
additional options in :ref:`policy section <Policy section>`, mostly specifying
desired (finite) lifetime for KSK: ::
remote:
- id: cz_zone
address: 194.0.12.1@53
policy:
- id: rsa
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
ksk-lifetime: 365d
ksk-submittion-check: [cz_zone]
zone:
- domain: myzone.test
dnssec-signing: on
dnssec-policy: rsa
After the initially-generated KSK reaches its lifetime, new KSK is published and after
convenience delay the submittion is started. The server publishes CDS and CDNSKEY records
and the user shall propagate them to the parent. The server periodically checks for
DS at the master and when positive, finishes the rollover.
.. _dnssec-manual-key-management:
Manual key management
......@@ -444,7 +475,7 @@ of the limitations will be hopefully removed in the near future.
- Only one DNSSEC algorithm can be used per zone.
- CSK rollover with Single-Type Signing scheme is not implemented.
- ZSK rollover always uses key pre-publish method (actually a feature).
- KSK rollover is not implemented.
- KSK rollover always uses pre-publish double-ksk method.
- Signing:
......
......@@ -513,6 +513,7 @@ policy:
zsk\-size: SIZE
dnskey\-ttl: TIME
zsk\-lifetime: TIME
ksk\-lifetime: TIME
propagation\-delay: TIME
rrsig\-lifetime: TIME
rrsig\-refresh: TIME
......@@ -520,6 +521,8 @@ policy:
nsec3\-iterations: INT
nsec3\-salt\-length: INT
nsec3\-salt\-lifetime: TIME
ksk\-submittion\-check: remote_id ...
ksk\-submittion\-check\-interval: TIME
.ft P
.fi
.UNINDENT
......@@ -591,6 +594,21 @@ A period between ZSK publication and the next rollover initiation.
ZSK key lifetime is also infuenced by propagation\-delay and dnskey\-ttl
.UNINDENT
.UNINDENT
.SS ksk\-lifetime
.sp
A period between KSK publication and the next rollover initiation.
.sp
\fIDefault:\fP infinity
.sp
\fBNOTE:\fP
.INDENT 0.0
.INDENT 3.5
KSK key lifetime is also infuenced by propagation\-delay, dnskey\-ttl,
and KSK submittion delay.
.sp
The default infinite value causes no KSK rollover as a result.
.UNINDENT
.UNINDENT
.SS propagation\-delay
.sp
An extra delay added for each key rollover step. This value should be high
......@@ -635,6 +653,20 @@ name before hashing.
A validity period of newly issued salt field.
.sp
\fIDefault:\fP 30 days
.SS ksk\-submittion\-check
.sp
A list of \fI\%references\fP to parent\(aqs DNS servers to be checked for
presence of corresponding DS records in case of KSK submittion. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
.sp
\fIDefault:\fP not set
.SS ksk\-submittion\-check\-interval
.sp
Interval for periodic checks of DS resence on parent\(aqs DNS servers, in case of
KSK submittion.
.sp
\fIDefault:\fP 1 hour
.SH REMOTE SECTION
.sp
Definitions of remote servers for outgoing connections (source of a zone
......
......@@ -573,6 +573,7 @@ DNSSEC policy configuration.
zsk-size: SIZE
dnskey-ttl: TIME
zsk-lifetime: TIME
ksk-lifetime: TIME
propagation-delay: TIME
rrsig-lifetime: TIME
rrsig-refresh: TIME
......@@ -580,6 +581,8 @@ DNSSEC policy configuration.
nsec3-iterations: INT
nsec3-salt-length: INT
nsec3-salt-lifetime: TIME
ksk-submittion-check: remote_id ...
ksk-submittion-check-interval: TIME
.. _policy_id:
......@@ -672,6 +675,21 @@ A period between ZSK publication and the next rollover initiation.
.. NOTE::
ZSK key lifetime is also infuenced by propagation-delay and dnskey-ttl
.. _policy_ksk-lifetime:
ksk-lifetime
------------
A period between KSK publication and the next rollover initiation.
*Default:* infinity
.. NOTE::
KSK key lifetime is also infuenced by propagation-delay, dnskey-ttl,
and KSK submittion delay.
The default infinite value causes no KSK rollover as a result.
.. _policy_propagation-delay:
propagation-delay
......@@ -740,6 +758,28 @@ A validity period of newly issued salt field.
*Default:* 30 days
.. _policy_ksk-submittion-check:
ksk-submittion-check
--------------------
A list of :ref:`references<remote_id>` to parent's DNS servers to be checked for
presence of corresponding DS records in case of KSK submittion. All of them must
have corresponding DS for the rollover to continue. If none specified, the rollover
must be pushed forward manually.
*Default:* not set
.. _policy_ksk-submittion-check-interval:
ksk-submittion-check-interval
-----------------------------
Interval for periodic checks of DS resence on parent's DNS servers, in case of
KSK submittion.
*Default:* 1 hour
.. _Remote section:
Remote section
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment