Your Bug Report Will Be Graded
"I'm not proud of being a congenital pain in the ass. But I will take money for it."

Archives

KSK Double-DS rollover, just say no

Sun 18 March 2018 | -- (permalink)

Roy Arends gave a talk at today's IEPG meeting about a DNSSEC outage caused by an attempt to combine a DS hash algorithm roll with a type of key roll called a "KSK Double-DS" roll. Roy analyzed the problem that occurred in some detail, I'll post a link here when his slides become available, but he got me wondering why anybody would even try the KSK Double-DS stunt in the first place.

To me, the obvious way to do a DNSSEC KSK roll is the other approach documented in RFC 6781, called the "Double-Signature" method.

Leaving aside the oops that Roy reported (which has no direct analog with the Double-Signature method), the Double-DS approach requires multiple interactions with the parent zone, which is one of the most error prone parts of the entire process. With Double-Signature, I can add the new DSKEY RR, update the child zone, and verify it, all without bothering anybody else, particularly if I'm using a signing setup where I can check the signed updated zone before putting it in service (static compilation with dnssec-signzone, hidden signing master, whatever). Yeah, the stage where one asks the parent zone to replace the DS RR is scary, but that's unavoidable, and the failure modes for the DS change are simpler than for Double-DS.

Just say "no" to Double-DS.