To:
dnsop@cafax.se
From:
"Olaf M. Kolkman" <olaf@ripe.net>
Date:
Mon, 25 Aug 2003 09:26:47 +0200
Sender:
owner-dnsop@cafax.se
Subject:
draft-kolkman-dnssec-operational-practices-00.txt
Colleagues,
draft-kolkman-dnssec-operational-practices-00.txt is now in the I-D
repository.
To give you an idea about content the abstract and index are copied
below.
Does the working group want to accept this document as a working group
item?
-- Olaf
---------------------------------| Olaf M. Kolkman
---------------------------------| RIPE NCC
Abstract
This Internet-Draft is intended as a place holder for considerations
and operational practices for DNSSEC key-management. It is intended
to be 'long-lived' and result in documentation of best(?) current
practices.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Time in DNSSEC . . . . . . . . . . . . . . . . . . . . . . . 3
2.1 Time definitions . . . . . . . . . . . . . . . . . . . . . . 3
2.2 Time considerations . . . . . . . . . . . . . . . . . . . . 4
3. Keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
3.1 Using Key-Signing and Zone-Signing Keys. . . . . . . . . . . 6
3.1.1 Motivations for the KSK and ZSK functions . . . . . . . . . 6
3.2 Key security considerations . . . . . . . . . . . . . . . . 6
3.3 Key rollovers . . . . . . . . . . . . . . . . . . . . . . . 7
3.3.1 Zone-signing key rollovers . . . . . . . . . . . . . . . . . 7
3.3.2 Key-signing key rollovers . . . . . . . . . . . . . . . . . 10
4. Planning for emergency key rollover. . . . . . . . . . . . . 11
4.1 KSK compromise . . . . . . . . . . . . . . . . . . . . . . . 12
4.2 ZSK compromise . . . . . . . . . . . . . . . . . . . . . . . 12
4.3 Compromises of keys configured at the resolver level . . . . 12
5. Parental policies. . . . . . . . . . . . . . . . . . . . . . 13
6. Initial key exchanges and parental policies
considerations. . . . . . . . . . . . . . . . . . . . . . . 13
6.1 Storing keys so hashes can be regenerated . . . . . . . . . 13
6.2 Self signed keys during upload or not? . . . . . . . . . . . 13
6.3 Security lameness checks. . . . . . . . . . . . . . . . . . 13
6.4 SIG DS validity period. . . . . . . . . . . . . . . . . . . 13
7. Resolver key configuration. . . . . . . . . . . . . . . . . 13
8. Security considerations . . . . . . . . . . . . . . . . . . 13
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . 13
Normative References . . . . . . . . . . . . . . . . . . . . 14
Informative References . . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 15
A. Terminology . . . . . . . . . . . . . . . . . . . . . . . . 15
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.