Performing KSK Rollover with Double-DS Method

A step-by-step guide leveraging TCPWave's DDI solution

TCPWAVE

Elevate DNS security with seamless KSK rollovers.

As internet security evolves and threats diversify, the importance of DNS Security Extensions (DNSSEC) and the associated key management processes cannot be overstated. In DNSSEC, two types of keys are typically used: Zone Signing Key (ZSK) and Key Signing Key (KSK). KSK is used to sign the DNSKEY RRset, which includes both the KSK and ZSK. Given the critical role that the KSK plays in DNSSEC, it is important to periodically perform KSK rollovers to maintain the integrity and security of the system. This article offers an extensive guide on how to perform a KSK rollover using the Double-DS method with the help of our DDI solution.

Effortless Key Management

Effortless Key Management

  • Effortlessly manage DNSSEC keys with our DDI solution. Generate new KSKs seamlessly and maintain security integrity with ease.
Secure Transitions

Secure Transitions

  • Safeguard your DNS operations with our DDI solution. Error-free KSK rollovers are ensured through automated processes and robust controls.
Improved Security

Improved Security

  • Elevate DNSSEC security with our DDI solution. Our automated Double-DS method enhances security transitions without manual complexities.
Simplified Parental Records

Simplified Parental Records

  • Streamline trust chain updates with our DDI solution. Activate new KSKs and integrate corresponding DS records effortlessly, supported by our streamlined processes improving performance.
Step 1: Generating a New KSK
Step 1: Generating a New KSK

The first step in performing a KSK rollover involves generating a new KSK. Using our DDI solution, you can do this with ease. Navigate to the DNSSEC settings in the TCPWave IPAM interface and generate a new KSK. The new key should remain in a published state, not active, until you're ready to proceed with the rollover.

Step 2: Double Signature Phase

The Double-DS method stands as a pivotal technique in DNSSEC, wherein both the old and the new KSK are employed to sign the DNSKEY RRset. Utilizing our state-of-the-art DDI solution, this intricate signing process is effortlessly automated. Once this dual signing is accomplished, the system recognizes the new KSK as active, ensuring enhanced security.

Step 2: Double Signature Phase
Step 3: Parental DS Record Update
Step 3: Parental DS Record Update

Once the new KSK is active, the next step is to update the DS record at the parent zone. The DS record, derived from the new KSK, should be added alongside the existing DS record in the parent zone. Hence, during this phase, two DS records exist concurrently in the parent zone, each pointing to the old and new KSK respectively. Please note that the update process will depend on the registrar and the nature of the parent zone. Our DDI solutions can help streamline the record generation and verification processes, making it easier for you to perform this step.

Step 4: Verification

Once the DS record is successfully updated in the parent zone, it becomes imperative to ascertain the integrity of the DNSSEC chain of trust. This verification ensures the seamless operation of the domain's security mechanisms. To facilitate this essential check, there are numerous online tools available, such as DNSViz and Verisign's renowned DNSSEC debugger, among other reliable resources.

 Step 4: Verification
Step 5: Retiring the Old KSK
Step 5: Retiring the Old KSK

Once you've verified that the new KSK is operational and the chain of trust is valid, it's time to retire the old KSK. The old KSK should first be deactivated, meaning it's no longer used for signing. In the TCPWave IPAM interface, navigate to the DNSSEC settings and deactivate the old KSK. Subsequently, the corresponding DS record in the parent zone needs to be removed. This action leaves only the new DS record in the parent zone that corresponds to the new KSK.

Step 6: Final Verification

Upon completing the KSK rollover, it's essential to undertake one more round of verification. This final check reaffirms the intactness of the DNSSEC chain of trust and confirms the exclusive use of the new KSK. Once this assurance is obtained and everything is in order, the old KSK can be confidently and securely purged from the system.

Step 6: Final Verification

Executing a KSK rollover using the Double-DS method might seem complex, but it is a necessary procedure to uphold the integrity and security of DNSSEC operations. With our DDI Solution, this process can be significantly simplified, reducing manual intervention and the associated risk of error. Through automation and robust controls, TCPWave helps to ensure seamless and secure KSK rollovers, reinforcing the safety of your DNS infrastructure. For more information, please feel free to contact us.