To:
dnsop@cafax.se
From:
"Olaf M. Kolkman" <olaf@ripe.net>
Date:
Mon, 25 Aug 2003 09:26:47 +0200
Sender:
owner-dnsop@cafax.se
Subject:
draft-kolkman-dnssec-operational-practices-00.txt
Colleagues, draft-kolkman-dnssec-operational-practices-00.txt is now in the I-D repository. To give you an idea about content the abstract and index are copied below. Does the working group want to accept this document as a working group item? -- Olaf ---------------------------------| Olaf M. Kolkman ---------------------------------| RIPE NCC Abstract This Internet-Draft is intended as a place holder for considerations and operational practices for DNSSEC key-management. It is intended to be 'long-lived' and result in documentation of best(?) current practices. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 3 2.1 Time definitions . . . . . . . . . . . . . . . . . . . . . . 3 2.2 Time considerations . . . . . . . . . . . . . . . . . . . . 4 3. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 3.1 Using Key-Signing and Zone-Signing Keys. . . . . . . . . . . 6 3.1.1 Motivations for the KSK and ZSK functions . . . . . . . . . 6 3.2 Key security considerations . . . . . . . . . . . . . . . . 6 3.3 Key rollovers . . . . . . . . . . . . . . . . . . . . . . . 7 3.3.1 Zone-signing key rollovers . . . . . . . . . . . . . . . . . 7 3.3.2 Key-signing key rollovers . . . . . . . . . . . . . . . . . 10 4. Planning for emergency key rollover. . . . . . . . . . . . . 11 4.1 KSK compromise . . . . . . . . . . . . . . . . . . . . . . . 12 4.2 ZSK compromise . . . . . . . . . . . . . . . . . . . . . . . 12 4.3 Compromises of keys configured at the resolver level . . . . 12 5. Parental policies. . . . . . . . . . . . . . . . . . . . . . 13 6. Initial key exchanges and parental policies considerations. . . . . . . . . . . . . . . . . . . . . . . 13 6.1 Storing keys so hashes can be regenerated . . . . . . . . . 13 6.2 Self signed keys during upload or not? . . . . . . . . . . . 13 6.3 Security lameness checks. . . . . . . . . . . . . . . . . . 13 6.4 SIG DS validity period. . . . . . . . . . . . . . . . . . . 13 7. Resolver key configuration. . . . . . . . . . . . . . . . . 13 8. Security considerations . . . . . . . . . . . . . . . . . . 13 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 13 Normative References . . . . . . . . . . . . . . . . . . . . 14 Informative References . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 15 A. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 15 #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.