Hello,
This version addresses all of the comments we received on and off list.
In addition, we tried out the procedure in this document on a test zone.
Based on this experience we added two important considerations:
1. While performing this procedure to recover from an unusable ZSK or
CSK the SOA record of the zone cannot be changed. This is because at the
moment the new DNSKEY gets introduced into the zone, the DNSKEY RRset
cannot be signed with the old, unusable key.
2. Signer implementations may automatically add CDS/CDNSKEY records to
the zone. This is not just pointless, but must actually be prevented.
Adding the CDS/CDNSKEY records changes the type bitmap in the NSEC or
NSEC3 record of the zone, which cannot be signed with the unusable
DNSKEY and thus would be bogus in resolvers that have not yet learned
the new DNSKEY.
We would love to hear your feedback on this new version.
Kind regards,
Martin and Florian
On 13/05/2026 16:51, [email protected] wrote:
Internet-Draft draft-ietf-dnsop-dnssec-keyrestore-01.txt is now available. It
is a work item of the Domain Name System Operations (DNSOP) WG of the IETF.
Title: DNSSEC Key Restore
Authors: Florian Obser
Martin Pels
Name: draft-ietf-dnsop-dnssec-keyrestore-01.txt
Pages: 12
Dates: 2026-05-13
Abstract:
This document describes the issues surrounding the handling of DNSSEC
private keys in a DNSSEC signer. It presents operational guidance in
case a DNSSEC private key becomes inoperable.
Discussion Venues
This note is to be removed before publishing as an RFC.
Discussion of this document takes place on the Domain Name System
Operations Working Group mailing list ([email protected]), which is
archived at https://mailarchive.ietf.org/arch/browse/dnsop/.
Source for this draft and an issue tracker can be found at
https://github.com/fobser/draft-fobser-dnsop-dnssec-keyrecovery.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-dnsop-dnssec-keyrestore/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-dnsop-dnssec-keyrestore-01.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-dnsop-dnssec-keyrestore-01
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
