datatracker.ietf.org
Sign in
Version 5.6.2.p2, 2014-07-24
Report a bug

DNSSEC Operational Practices
RFC 4641

Document type: RFC - Informational (September 2006; Errata)
Obsoleted by RFC 6781
Obsoletes RFC 2541
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: (None)
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4641 (Informational)
Responsible AD: David Kessens
Send notices to: sra@hactrn.net, sra@isc.org, pk@DENIC.DE

Network Working Group                                         O. Kolkman
Request for Comments: 4641                                     R. Gieben
Obsoletes: 2541                                               NLnet Labs
Category: Informational                                   September 2006

                      DNSSEC Operational Practices

Status of This Memo

   This memo provides information for the Internet community.  It does
   not specify an Internet standard of any kind.  Distribution of this
   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   This document describes a set of practices for operating the DNS with
   security extensions (DNSSEC).  The target audience is zone
   administrators deploying DNSSEC.

   The document discusses operational aspects of using keys and
   signatures in the DNS.  It discusses issues of key generation, key
   storage, signature generation, key rollover, and related policies.

   This document obsoletes RFC 2541, as it covers more operational
   ground and gives more up-to-date requirements with respect to key
   sizes and the new DNSSEC specification.

Kolkman & Gieben             Informational                      [Page 1]
RFC 4641              DNSSEC Operational Practices        September 2006

Table of Contents

   1. Introduction ....................................................3
      1.1. The Use of the Term 'key' ..................................4
      1.2. Time Definitions ...........................................4
   2. Keeping the Chain of Trust Intact ...............................5
   3. Keys Generation and Storage .....................................6
      3.1. Zone and Key Signing Keys ..................................6
           3.1.1. Motivations for the KSK and ZSK Separation ..........6
           3.1.2. KSKs for High-Level Zones ...........................7
      3.2. Key Generation .............................................8
      3.3. Key Effectivity Period .....................................8
      3.4. Key Algorithm ..............................................9
      3.5. Key Sizes ..................................................9
      3.6. Private Key Storage .......................................11
   4. Signature Generation, Key Rollover, and Related Policies .......12
      4.1. Time in DNSSEC ............................................12
           4.1.1. Time Considerations ................................12
      4.2. Key Rollovers .............................................14
           4.2.1. Zone Signing Key Rollovers .........................14
                  4.2.1.1. Pre-Publish Key Rollover ..................15
                  4.2.1.2. Double Signature Zone Signing Key
                           Rollover ..................................17
                  4.2.1.3. Pros and Cons of the Schemes ..............18
           4.2.2. Key Signing Key Rollovers ..........................18
           4.2.3. Difference Between ZSK and KSK Rollovers ...........20
           4.2.4. Automated Key Rollovers ............................21
      4.3. Planning for Emergency Key Rollover .......................21
           4.3.1. KSK Compromise .....................................22
                  4.3.1.1. Keeping the Chain of Trust Intact .........22
                  4.3.1.2. Breaking the Chain of Trust ...............23
           4.3.2. ZSK Compromise .....................................23
           4.3.3. Compromises of Keys Anchored in Resolvers ..........24
      4.4. Parental Policies .........................................24
           4.4.1. Initial Key Exchanges and Parental Policies
                  Considerations .....................................24
           4.4.2. Storing Keys or Hashes? ............................25
           4.4.3. Security Lameness ..................................25
           4.4.4. DS Signature Validity Period .......................26
   5. Security Considerations ........................................26
   6. Acknowledgments ................................................26
   7. References .....................................................27
      7.1. Normative References ......................................27
      7.2. Informative References ....................................28
   Appendix A. Terminology ...........................................30
   Appendix B. Zone Signing Key Rollover How-To ......................31
   Appendix C. Typographic Conventions ...............................32

Kolkman & Gieben             Informational                      [Page 2]
RFC 4641              DNSSEC Operational Practices        September 2006

1.  Introduction

[include full document text]