> From: Mark Andrews > Sent: Monday, July 14, 2014 6:33 PM > > For a DS to *work* it needs to point to a key that signs the DNSKEY > RRset. Validators check that the signature exists. Activating the > key will add 1 signature to the zone.
Let me preface this reply by indicating that I am far from a dnssec expert :), I researched it to some reasonable extent five odd years ago when we converted our infrastructure to use it, but it's more than possible I misunderstood something. That said, I assume when you say to "work", you mean for that KSK to be part of the trust path for a client to validate a given record. In which case, it's not my intent at this time for that KSK to "work", only to publish it, and have a valid DS record in place, such that it could work in the future. When it's time to roll over, it will be activated and used for signing, and clients will immediately be happy with it because the valid DS record is in place. Until it's time for it to be activated, due to scheduled rollover or emergency rollover due to key compromise, the secret key for that KSK could theoretically sit in a locked safe far away from any networked system (not that we actually do that, but it would be possible). If it were activated, it would be in use; why would I want two active KSKs (unless, I suppose, I was using the double signature method of rollover)? Keys have a publish time separate from the activation time, your advice seems to be always make them the same? Unless I misunderstood key rollover strategies and mechanisms, there is nothing wrong with having a published key that is not actually being used to sign anything yet. > Not activating it increases the risk of shooting your self in the > foot in the future which, presumable, EDUCAUSE is trying to prevent. > If you were to disable the current key without first activating the > new key and allowing the old DNSKEY RRset to clear caches you would > end up with a broken secure delegation Well, yes, if I were to do something stupid bad things would happen ;). I could just stop publishing any DNSKEY records, leave dangling DS records in the parent, and be completely broken. The publication and activation is controlled by our fully automated (barring manual parent DS record maintenance) dnssec key rollover mechanism, so I'm not particularly worried about shooting myself in the foot :). I also don't think this is what educause is doing, as I haven't had any trouble entering DS records for published but not activated KSK's in the past, and I assume a change such as this would have come up in our existing technical support interaction regarding what they might have changed about the system since last year. Thanks. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
