> On 18 Aug 2021, at 3:52 pm, Ralph Seichter <ra...@ml.seichter.de> wrote:
>
> Well, sort of. As per default settings, BIND does not appear to create a
> key signing key (KSK) / zone signing key (ZSK) pair, but instead one
> single key to sign each zone. That's sufficient from a technical
> perspective, but whenever that combined key changes, some key material
> must be refreshed in the parent zone.
>
> I highly recommend investing the extra time and effort to generate
> separate KSK and ZSK for each DNSSEC-protected domain. The KSK data will
> need to be published once, but you can roll your ZSK whenever you please
> without contacting a third party. This saves a lot of hassle in the long
> run.
With ECDSA P256(13) as the DNSKEY (signature) algorithm, the incentive
to rotate keys frequently (~90 days) is substantially lower, as the keys
are strong enough to resist cryptographic attacks for years. The only
practical risk is key disclosure.
Thus a CSK (combined KSK + ZSK) is not unreasonable, and could be rotated
~annually. The main reason for a separate KSK is then the possibility of
keeping the KSK offline, but then you can't fully automate zone signing
if the ZSK is automatically rotated.
Thus, a CSK is fine, and reduces the size the of zone's DNSKEY RRSet.
You end up with two keys when doing a key rollover, with the new key
taking over the signing of the rest of the zone, but both signing the
DNSKEY RRset until the DS RRs are updated, and ultimately the old key
retired.
--
Viktor.
