Powerdns auth - DNSSEC CSK Rollover

[victoredvardsson]

Hello,

Im looking into Powerdns auth for a fairly large scale deployment, we will definitely need to automate the rollover of DNSSEC keys.

I have read through the docs and come to the conclusion that the default behaviour of pdnsutil secure-zone <ZONE> is generating a CSK instead of traditional ZSK/KSK setup.

Now to the question.. I cannot find any information on how we are supposed to do a rollover of a CSK without impacting the functionality. With KSK/ZSK we can use the pdnsutil add-zone-key command to add duplicate keys during rollover, but it does not seem to be possible with CSK?

Is there a proposed solution for this, or is the intention that the CSK should be static?

Thanks!

[Habbie]

Through a series of historical accidents, any key with the SEP bit (1, so flags 257) is called a KSK, and any key without it (flags 256) is called a ZSK. But those names are only valid when both exist. The moment you only have key(s) of one flags value, those keys are CSKs. You can have multiple CSKs. Assuming you are using our defaults, your CSK has flags 257, and you can add another "KSK".

(paste edited for readability)

$ pdnsutil show-zone no2.nl
This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys: 
ID = 1789291651 (CSK), flags = 257, tag = 49985, algo = 13, bits = 256	  Active	 Published  ( ECDSAP256SHA256 ) 
CSK DNSKEY = no2.nl. IN DNSKEY 257 3 13 [data] ; ( ECDSAP256SHA256 )
DS = no2.nl. IN DS 49985 13 2 [data] ; ( SHA256 digest )
DS = no2.nl. IN DS 49985 13 4 [data] ; ( SHA-384 digest )
$ pdnsutil add-zone-key no2.nl ksk
Added a KSK with algorithm = 13, active=0
323744677
peter@baruch:~/projects/powerdns/pdns-data $ ppdnsutil --config-dir=. --config-name=lmdb show-zone no2.nl
This is a Native zone
Metadata items: None
Zone has NSEC semantics
keys: 
ID = 323744677 (CSK), flags = 257, tag = 31031, algo = 13, bits = 256	Inactive	 Published  ( ECDSAP256SHA256 ) 
CSK DNSKEY = no2.nl. IN DNSKEY 257 3 13 [data] ; ( ECDSAP256SHA256 )
DS = no2.nl. IN DS 31031 13 2 [data] ; ( SHA256 digest )
DS = no2.nl. IN DS 31031 13 4 [data] ; ( SHA-384 digest )
ID = 1789291651 (CSK), flags = 257, tag = 49985, algo = 13, bits = 256	  Active	 Published  ( ECDSAP256SHA256 ) 
CSK DNSKEY = no2.nl. IN DNSKEY 257 3 13 [data] ; ( ECDSAP256SHA256 )
DS = no2.nl. IN DS 49985 13 2 [data] ; ( SHA256 digest )
DS = no2.nl. IN DS 49985 13 4 [data] ; ( SHA-384 digest )

Now I have two CSKs.

[victoredvardsson]

Thanks for explaining, now it makes perfect sense.

So a rollover scenario would look something like this?

1. pdnsutil add-zone-key ksk active
2. Provide parent domain with new DS/DNSKEY and verify that both exists at their end
3. Inactivate old CSK and remove when safe.

[Habbie]

Yes, sounds right. Do keep relevant TTLs in mind, of course.

[klaus-nicat]

And increase the serial after adding/deleting keys in case you secondary name servers using AXFR to fetch the zone.