DNSSEC Rollover Procedures (KSK and ZSK Rotation)

#Changing the Locks: The Art of the Rollover#link

In cryptography, 'rotation' is the process of replacing an old key with a new one. In DNSSEC, this is the most dangerous operation an admin can perform. Because DNS records are cached worldwide, a mistake in the rollover timing can result in a 'global blackout' for your domain.

ZSK Rollover: The Pre-Publish Method

To rotate a ZSK without breaking the site, you cannot just delete the old key and add a new one. You must use the 'Pre-Publish' method: 1. Publish the new ZSK public key in the zone, but do NOT use it to sign yet. 2. Wait for the TTL (Time To Live) to expire so all resolvers have the new key. 3. Switch to signing with the new ZSK. 4. Wait for the old RRSIGs to expire before removing the old ZSK.

# Conceptual ZSK Rollover Timeline
Day 1: Add New_ZSK_Pub to DNSKEY
Day 2: (Wait for TTL)
Day 3: Start signing records with New_ZSK_Priv
Day 4: (Wait for old signatures to expire)
Day 5: Remove Old_ZSK_Pub

This ensures that no matter which key a resolver has in its cache (the old one or the new one), it can always validate the current signature.

KSK Rollover: The Coordination Challenge

Rotating a KSK is significantly harder because it involves a third party: the Registrar. The la 'Double-DS' method is the safest approach: 1. Generate a new KSK. 2. Publish both the old and new KSKs in the zone. 3. Upload both the old and new DS records to the parent TLD. 4. Once the new DS record is propagated, remove the old KSK.

The 'Emergency' Rollover

What happens if your KSK is stolen? You must perform an emergency rollover. This involves immediately generating a new KSK, updating the DS record at the registrar, and resigning the entire zone. The goal is to minimize the window during which the attacker can sign malicious records.

• ▪Use automation (OpenDNSSEC) for ZSK rotations
• ▪Maintain a 'Key Backup' in a secure vault
• ▪Test rollover procedures in a staging environment
• ▪Use short TTLs during the rotation window