[DNSOP] Recovering from loss of DNSSEC private keys
Tony Finch <dot@dotat.at> Thu, 13 September 2012 17:45 UTC
Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3FD4A21F8504 for <dnsop@ietfa.amsl.com>; Thu, 13 Sep 2012 10:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.422
X-Spam-Level:
X-Spam-Status: No, score=-4.422 tagged_above=-999 required=5 tests=[AWL=-0.423, BAYES_50=0.001, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2vu1ex8j+Y92 for <dnsop@ietfa.amsl.com>; Thu, 13 Sep 2012 10:45:02 -0700 (PDT)
Received: from ppsw-50.csi.cam.ac.uk (ppsw-50.csi.cam.ac.uk [131.111.8.150]) by ietfa.amsl.com (Postfix) with ESMTP id 12C1E21F859E for <dnsop@ietf.org>; Thu, 13 Sep 2012 10:45:01 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-SpamDetails: not scanned
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-1.csi.cam.ac.uk ([131.111.8.51]:34015) by ppsw-50.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1TCDTI-00037Q-rn (Exim 4.72) for dnsop@ietf.org (return-path <fanf2@hermes.cam.ac.uk>); Thu, 13 Sep 2012 18:45:00 +0100
Received: from fanf2 by hermes-1.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1TCDTI-0002ge-LC (Exim 4.72) for dnsop@ietf.org (return-path <fanf2@hermes.cam.ac.uk>); Thu, 13 Sep 2012 18:45:00 +0100
Date: Thu, 13 Sep 2012 18:45:00 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-1.csi.cam.ac.uk
To: dnsop@ietf.org
Message-ID: <alpine.LSU.2.00.1209131840290.1469@hermes-1.csi.cam.ac.uk>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Subject: [DNSOP] Recovering from loss of DNSSEC private keys
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsop>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Sep 2012 17:45:05 -0000
Your master nameserver has died. You just found out your backups are unreadable. Your disaster recovery plan is in tatters. But there's no need to panic! The easy answer in this situation is to delete your DS record(s) from the parent zone to go insecure, then reconstruct your DNS setup with new keys, before adding new DS records to re-establish a chain of trust. But if you have a copy of the zone, with signature and public keys, but not the private keys, it is still just about possible to transition to a new set of keys without breaking the chain of trust. The key observation is that some of the standard key rollover procedures can mostly be performed without generating new signatures with the old private key. The process goes like this: (1) Set up the existing zone on your new master. Generate new keys - you can't publish them yet because you can't make any changes to the zone without the old private keys. (2) Add DS record(s) to your parent zone corresponding to your new KSK, and keep the old DS record(s). Wait for the DS RRset TTL so that the old records expire. Now everyone is prepared to trust your new KSK. (3) Add the new KSK and ZSK public keys to the DNSKEY RRset and sign it with the new KSK. The rest of the zone remains signed with the old ZSK. There is a problem here in that you can't update the SOA serial number, so you need to use underhanded means to update the slaves with the new zone. Wait for the DNSKEY RRset TTL. Now everyone is willing and able to validate signatures made with your new keys, and can still validate old signatures. (4) Re-sign the rest of the zone with the new ZSK. Wait for the zone's maximum TTL. Now no-one has any signatures made with the old keys. (5) Clean up by deleting the old DS record(s) from the parent and the old public keys from the DNSKEY RRset. Tony. -- f.anthony.n.finch <dot@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first.