Your master nameserver has died. You just found out your backups are unreadable. Your disaster recovery plan is in tatters. But there's no need to panic!
The easy answer in this situation is to delete your DS record(s) from the parent zone to go insecure, then reconstruct your DNS setup with new keys, before adding new DS records to re-establish a chain of trust. But if you have a copy of the zone, with signature and public keys, but not the private keys, it is still just about possible to transition to a new set of keys without breaking the chain of trust. The key observation is that some of the standard key rollover procedures can mostly be performed without generating new signatures with the old private key. The process goes like this: (1) Set up the existing zone on your new master. Generate new keys - you can't publish them yet because you can't make any changes to the zone without the old private keys. (2) Add DS record(s) to your parent zone corresponding to your new KSK, and keep the old DS record(s). Wait for the DS RRset TTL so that the old records expire. Now everyone is prepared to trust your new KSK. (3) Add the new KSK and ZSK public keys to the DNSKEY RRset and sign it with the new KSK. The rest of the zone remains signed with the old ZSK. There is a problem here in that you can't update the SOA serial number, so you need to use underhanded means to update the slaves with the new zone. Wait for the DNSKEY RRset TTL. Now everyone is willing and able to validate signatures made with your new keys, and can still validate old signatures. (4) Re-sign the rest of the zone with the new ZSK. Wait for the zone's maximum TTL. Now no-one has any signatures made with the old keys. (5) Clean up by deleting the old DS record(s) from the parent and the old public keys from the DNSKEY RRset. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
