IETF Logo Mail Archive

[DNSOP] Re: I-D Action: draft-ietf-dnsop-dnssec-keyrestore-01.txt

Martin Pels <mpels@ripe.net> Wed, 13 May 2026 15:14 UTC

Return-Path: <mpels@ripe.net>
X-Original-To: dnsop@mail2.ietf.org
Delivered-To: dnsop@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id C421CEDC9A59 for <dnsop@mail2.ietf.org>; Wed, 13 May 2026 08:14:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1778685286; bh=r2cqd6nSi0Gueu0MchQerJczf4qTwXYfdbRYV8RKx7Y=; h=Date:Subject:To:References:Cc:From:In-Reply-To; b=BX1keG241tSV2JsCl7pzPglYgqkQckszmmkPCGwXBbhiwlljRQaDvo3gSrLhPqTFN /oqOY689e1xkWut5ZTkL3+rafV231LQYKzUNCZ5N75p6pU4jfyXinkpnTQCgFAi7l3 wO7/l5bDm0tZLfYF4wA9WTjZWEyKt3Fl8GcuhoCs=
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=ripe.net
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TaQbakyFgVhx for <dnsop@mail2.ietf.org>; Wed, 13 May 2026 08:14:42 -0700 (PDT)
Received: from mail-ed1-x52d.google.com (mail-ed1-x52d.google.com [IPv6:2a00:1450:4864:20::52d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id C062EEDC9A03 for <dnsop@ietf.org>; Wed, 13 May 2026 08:14:31 -0700 (PDT)
Received: by mail-ed1-x52d.google.com with SMTP id 4fb4d7f45d1cf-67b8d9c26bbso12550150a12.2 for <dnsop@ietf.org>; Wed, 13 May 2026 08:14:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ripe.net; s=google1; t=1778685271; x=1779290071; darn=ietf.org; h=content-transfer-encoding:in-reply-to:autocrypt:from:cc :content-language:references:to:subject:user-agent:mime-version:date :message-id:from:to:cc:subject:date:message-id:reply-to; bh=XsP99PpfdNrlnMeAN2hoEUvlYxrwSnowYIQGsumfRzE=; b=Q84+j7891O0IZ5EOI6vhJveGt3Y+6mva2Bt0C/uVxmFUl2pilNbMifLqQQpWkhLOaz cvxt3Co2Un/hDBVQDfjrV5L4HzL7YGua8bnTPwWq5Oh8l/sISx5BNmmO2br62cHhPJrF 3F4E/m/B1YWhNhEKc8e9CttKxccGd51/a8ktEeF5h2Gaz+dnuVZr8PaPOmf2WROg4/vm XVCzOXJPxdNFT0ee51urLaucySKLenmi9vfrUIdl6zBSA/6H+4LFmS9PoUEbBQ2KFQDQ QQNnc90QhgH7jci2Avzq9AzqWXtxm5q3B6BGj3j2ZZ671wl/sjiuBp8oSzEq5O3v6ovs mBhQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778685271; x=1779290071; h=content-transfer-encoding:in-reply-to:autocrypt:from:cc :content-language:references:to:subject:user-agent:mime-version:date :message-id:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XsP99PpfdNrlnMeAN2hoEUvlYxrwSnowYIQGsumfRzE=; b=ZfZwmi02YCkNRAcMT1ksM67ewKKGNGrxZNcpQt2SUD0TT2jzEZlZrosBgXLM6eDzcG EmLLirVN3/Dl+HEh3NqJ7JBVnY+AxFH6LV4e3qFmI1fjv7NYXcxiQ4Rc66e/wpOkytif lghn12I+oscSynlhLJSVuGXzevSgPUpHPiPNLihx0q5bEeNLzuEZ6XZkzIjNls2v2kqh YM0D4JDdfbkF6mbAV+QYxyifr6F4ArN3DQQcr5tcaHzTUiIJIyxU0/Ni2jvEygFDK1by RMhYB3aEkFO/FruP+lrzgVwUhCTBaIsopELcSlLe2womj44SrHoM1jV5y9IoaLidNY1p Nvdg==
X-Gm-Message-State: AOJu0YzwoEjIWBwRakDfp5e1aiyvseN7ac/KNrcCbkQ+8bYR9GKdY6+9 SdTij3Fi9OSCto4FgjqI+9GnElt3krtrA4H3Hghb46kIABfHJe3YeIWT7cuRUoYGU84TqUwf82+ woD6GorE=
X-Gm-Gg: Acq92OFIW1gH8u2/rN1sRdhjbk4VzHfMbf+YtZ+I+o3JT9bj81yrejK3orbwkALM9GF kdA1M4t+zahhzk+lJJQA2Pez+zqsSGsw/ErEpz7E6iZdXxrSAxEL9nsQcX/QkRLl5B7ZL6Zdfq0 20/u/5pMr+ccYFn9hwCM/KEGAV2gnDPm2BTJgqTF3LtK/EQZqoBpFHICBJH7ALlmDdrP83QtNyd XWYOU5Qt6+XJsaTq8ADsgDGOjIPyjnLu+kMGJSgwUQEFRVk7lOprLaAqBUbgrRlIKyOHnbe3iGv 3zhWgHu2mmxmhTBz3VkC+KusheMpTmRTCxEiE+IsQZ4a17Z9K3FvGyObtEJJEp34ZtGXDxKfrlJ iiXoPdJlHkz600Li2A39kIMpKVYFSF0Q+SR72C11rzf9e+ZSypW9/CbtwhZX9u+AT7KemCVNaEH /d2rXwt+3BCI4lJzN7SRtGgkB+yqel1nJFJLXLRVGmKsUHX+AFf+Vq1xghaU+No1pFrxjvrEkMB x6UDsYH
X-Received: by 2002:a17:906:5999:b0:bd4:c6be:5f2e with SMTP id a640c23a62f3a-bd4c6be6082mr42635566b.3.1778685270650; Wed, 13 May 2026 08:14:30 -0700 (PDT)
Received: from ?IPV6:2001:67c:2e8:110:5867:2443:1e4a:eaa2? ([2001:67c:2e8:110:5867:2443:1e4a:eaa2]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-bce4c41b1e8sm583042666b.8.2026.05.13.08.14.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 13 May 2026 08:14:30 -0700 (PDT)
Message-ID: <d0f4f249-fccc-47d2-9e22-f36bfd1dafec@ripe.net>
Date: Wed, 13 May 2026 17:14:30 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: dnsop@ietf.org
References: <177868390823.1113902.5746956736087473942@dt-datatracker-54557f87b8-lnrkh>
Content-Language: en-US
From: Martin Pels <mpels@ripe.net>
Autocrypt: addr=mpels@ripe.net; keydata= xsFNBF6pT/ABEAC+FVkHOzFHubxx/e6WOkJ6bCi/QAM1keINFGeN8M/DpRVdoA1Y3zBX5RTW dBXSMQPCIexR0IiYmEiwQh+6qoRIw9eOKxrmBnlM3dzcahG0uKuROoVf/JSIj7lkKFHC4T0f gog1GUYxhEMtMlAL3oiL6+NS7kCgOuupX9+tWJwISOMc4OorjIhmEx3tqEJt8RwBCD15Gtot x2z+YsnIHaJB87SQmI5kl+ofDAm6wZfYAT4hEkpKSuDUOAPq5PJymelnOdZ9L1mRcT+J8Y8f Yq+H64FXlfRDkA8Pg9ZCRy7Xm6bsywSl9ZSXopeoN+SMzB3QIXXyCTsqWtSf6RS/v1mOfQYY 45VuoBKB5zNOwwNH2LqPW5mTWuqnly1z70mHhRztN4FB/7VCxMp+x12SosQ2wACZjIVg3zhQ Dfg/vxZusq1R9beSRz2JRN2kR+wEnFjrZVYbjErts6JVKsGZzjF1ChZrMKVZ7dJt2rhR0Qvg h0+rgR8Hr3QLwm8QmbjLnkVFutSIdwcm81YCfI709mpVemqQWhVI0Ak0CzXnuMQ8pCnt/XPU 4z4CdxbZFpzny0VtIqidOEmL2kLe5b7A4XYxhK3XTX+AWcdiR47JPbBVSM43Tvear3uJJ65r /g75zl7eKN4U87mlnglDUuIRQeHqjlO6cgs4td4xf2RIgvpQkwARAQABzSdNYXJ0aW4gUGVs cyAoUklQRSBOQ0MpIDxtcGVsc0ByaXBlLm5ldD7CwY4EEwEIADgWIQT00zg2p+oRbgj1QPlM NzgNOPC8lwUCXqlP8AIbAwULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRBMNzgNOPC8l31k D/kBzvdhIuebQ5C5hoMyXnOIvy/SS8XdR+63WSKvx6Ck8Oly7uU7zHUl4anp0nt0emg3Q5fr uzTSf7T4biNK5KNqye3Zf+ahSgIjHXRLhENx3r49BQ3x3nEUSLVjWdh86OZ5sHkAM+Bmrhwg AWQHmzGJUk33O7XAZdrpII73KdJ0N591ZukpVK3E1I9MIvMGASnlnvGbpr0e2qDsiN4lw0Gf xi+YQWKtrAOvWXa3j5b8hGlc+yj6fbQQ/PMv2aJYssx0+pERJFIq+c2vItkeZZDesXYbFd5p HmPsn8rjVokPVijDaJ1AwZZsOqgMSwCNtEH4nwENSEb1/eWO29gbUXXuxCvCXAKsnOfy1A96 iQPXUrR/k587T897PKAx/BJCqDh895LgyHXC3lYjZajzYa1njFk5huBOPPgKqZvu7oPda/M9 gNHoVbb0NfhaRgAGoJuXhUA0+U52Z1uA8obQ0dSlXWgbo0nV+Y1jv2ccXv2buCRs9gsUbcQ7 SC2ouYyBwaoPKEZ8mSIcdXeBElnmToz4PDUInT1fSXsqo4ge9TrLPqACLRh/VnJzgpbjvoBr 1JBBL50tyRGtBQB4yWkC6u6QuzVEMm0mn77Elfd7hG2qvdTaDz3YKmcAjVqo3xeahv4MC+sF Z/yEFLZUtRfu9okkY++uY7rhbPl2BUZdtMvsls7BTQReqU/wARAAyKbpITvB7W9HbmXV30yn OlQoFaovYYObsFSsHbr3MqgmTDUcIf3CN6mwRt1uJ/tVuALVBX8KGd24L4HAbKN+5IDf05wu Owqy4aLE5dIik6OIgSdiKfCK4RLEdTUa4lluAe+nR1Xnhj6VcvBDvaJjRZ/U5kWi6vh+MvUh JlRygFJ849+ga1E/WgJJemgrId6Sm5GWGAHhDujGC+ZP9FdMpjkGl2MMwW9aJA/RoNRenKSz 8R9stCUoEcp+VhRCr8S5Ar7cUcJFT6uIjaV3YEEdRq+eVmpQmDk89SuXusbqsaeu74gs8uW8 p2G7hgy001MOkZffumLN/yO63NCV7AUa+rCciMmi7RoPfdy+EQj/Seg2NRGXnCDU5jUOWC3r KObkH5q0lvu3W/Pp/gJmcD6PeBjm3Vn6RSpx2CICOMdwqd11OOznOjrXYc2jDd4PVyA6rLtB fve/80chn7/20+dUrTBTui02pTxY00mOLCYPRpA+NH0lfvCH9B/GTr1Zt0Ak/gT/+pBlQw4f LrG0x5j1NhlSIYL14KlxJGWboGfB2ipI7t43DHIJ15CszTNRTV9KE97TBFHeogIWI1uIe/da Y5mRTPFpf4NAiYb+P58gSlbizyQkzXUwu+vJZuBrRBBhG94zymdnj3CKjqw4Sq9k9ZX3BdTj TG1pJmXOY3i3QVcAEQEAAcLBdgQYAQgAIBYhBPTTODan6hFuCPVA+Uw3OA048LyXBQJeqU/w AhsMAAoJEEw3OA048LyXLIUP/3FW9hDzFIXvm/IEq8tCWYVYKTD1jZ/oduWrDcnqgrP079TK 7BHhFg6bqu6r3kgQSY1hPCq3ri5L46eQLaMwkukcxkSe6VJSCVWqycdRN2hgZnnrms7Ow518 UNXuLiWoQaRgIE08/cnKXcmJZEnLxTZWAu/AKjSTdqiztdUXlyX1PGqsIWlcaqvIGXNufy1A WNPBz8c4vBSlCEUdlqSBix0vTBGNfsHWBDK622WzSGxB5jNvsHN3rFYDfQzw2cau/SRb64CH kgzamFY2cnJxxXFEx26IDiKLJQBTr/zzls5Up09HnzQf8f9rp47lT+98deGKg8dKK2YzN6Sn qwse7+R/eaeVE37nFhq6qgFfaOpRPz/BjfUib//4EaaDcFzN7tJT1uQ4NnSl2coFtSPZ0uok izHGwcA84tneBjLPTnIYpCZdT5nbpLlVFdmAbm6BgBut1iQ5ldHeTUvXzkKBa3KKV/j1mrIz QAPPq/QgRmb/1h3iGbdri0AMeTn7qAf4WTr71JuDsvziT5ZqFu5N8k48IftR7NXnA01QXy3h Yc4saYN03xUxSDoLXiVwqus8cj2pKtWTLNcHOxspUHZLQJHFaydybBzpLYNJQzdvk2zhOoEL ivK0iSDioTL8fKKkHm1kU/29c27MEWd8M3PXCp5brbQ+XFhDfFsqM52se/Ww
In-Reply-To: <177868390823.1113902.5746956736087473942@dt-datatracker-54557f87b8-lnrkh>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Message-ID-Hash: 2GD3UNF4RALXINL5BJYFXEYKHWICLOZR
X-Message-ID-Hash: 2GD3UNF4RALXINL5BJYFXEYKHWICLOZR
X-MailFrom: mpels@ripe.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Florian Obser <florian+ietf@narrans.de>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [DNSOP] Re: I-D Action: draft-ietf-dnsop-dnssec-keyrestore-01.txt
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/EMv0S55MQWNItzvb5UM_PsX_Ioc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Owner: <mailto:dnsop-owner@ietf.org>
List-Post: <mailto:dnsop@ietf.org>
List-Subscribe: <mailto:dnsop-join@ietf.org>
List-Unsubscribe: <mailto:dnsop-leave@ietf.org>

Hello,

This version addresses all of the comments we received on and off list.

In addition, we tried out the procedure in this document on a test zone. 
Based on this experience we added two important considerations:

1. While performing this procedure to recover from an unusable ZSK or 
CSK the SOA record of the zone cannot be changed. This is because at the 
moment the new DNSKEY gets introduced into the zone, the DNSKEY RRset 
cannot be signed with the old, unusable key.

2. Signer implementations may automatically add CDS/CDNSKEY records to 
the zone. This is not just pointless, but must actually be prevented. 
Adding the CDS/CDNSKEY records changes the type bitmap in the NSEC or 
NSEC3 record of the zone, which cannot be signed with the unusable 
DNSKEY and thus would be bogus in resolvers that have not yet learned 
the new DNSKEY.

We would love to hear your feedback on this new version.

Kind regards,
Martin and Florian


On 13/05/2026 16:51, internet-drafts@ietf.org wrote:
> Internet-Draft draft-ietf-dnsop-dnssec-keyrestore-01.txt is now available. It
> is a work item of the Domain Name System Operations (DNSOP) WG of the IETF.
> 
>     Title:   DNSSEC Key Restore
>     Authors: Florian Obser
>              Martin Pels
>     Name:    draft-ietf-dnsop-dnssec-keyrestore-01.txt
>     Pages:   12
>     Dates:   2026-05-13
> 
> Abstract:
> 
>     This document describes the issues surrounding the handling of DNSSEC
>     private keys in a DNSSEC signer.  It presents operational guidance in
>     case a DNSSEC private key becomes inoperable.
> 
> Discussion Venues
> 
>     This note is to be removed before publishing as an RFC.
> 
>     Discussion of this document takes place on the Domain Name System
>     Operations Working Group mailing list (dnsop@ietf.org) which is
>     archived at https://mailarchive.ietf.org/arch/browse/dnsop/.
> 
>     Source for this draft and an issue tracker can be found at
>     https://github.com/fobser/draft-fobser-dnsop-dnssec-keyrecovery.
> 
> The IETF datatracker status page for this Internet-Draft is:
> https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-keyrestore/
> 
> There is also an HTML version available at:
> https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-keyrestore-01.html
> 
> A diff from the previous version is available at:
> https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-keyrestore-01
> 
> Internet-Drafts are also available by rsync at:
> rsync.ietf.org::internet-drafts
> 
> 
> _______________________________________________
> DNSOP mailing list -- dnsop@ietf.org
> To unsubscribe send an email to dnsop-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status