24 Lis
2020
24 Lis
'20
14:55
Hi Nils,
Multi-signer setups are not trivial, in-fact that is the cutting edge of DNSSEC right
now.
Please have a look at Shumons excellent RFC https://tools.ietf.org/html/rfc8901
<https://tools.ietf.org/html/rfc8901> for exactly that use-case.
In-short:
- Same algorithm on all instances
- You absolutely need to synchronize ZSK between instances
- KSK can be shared or separate
My recommendation would be to use ECDSA and not bother with the ask roll overs.
Same ZSK on all instances. Depending on your security requirements I would
consider offline KSK.
/Ulrich
On 21 Nov 2020, at 17:40, Nils Trampel
<nils(a)trampel.org> wrote:
Hello,
as I plan to migrate an existing DNS setup to Knot, not only for deploying DNSSEC but
also for synthesizing some records using mod-synthrecord, I am not sure as how to setup
online signing when having multiple public authoritative name servers. My uncertainty is,
if it is necessary to give them the same ZSKs and do the key rollover from the outside, or
if the chain of trust isn't severed when they generate their own ZSKs based from a
common KSK or even their distinct KSKs, and therefore provide different signatures.
Best regards and thanks,
Nils
--
Nils Trampel
GPG: 0x012BADD8
--
https://lists.nic.cz/mailman/listinfo/knot-dns-users