2020-12-23 17:40:44 +01:00
|
|
|
DNSSEC
|
|
|
|
|
======
|
|
|
|
|
|
|
|
|
|
ZSK
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
Assumes:
|
|
|
|
|
- ZSK_p is the ZSK key in retirement (previous)
|
|
|
|
|
- ZSK_c is the ZSK key that's going to be used for this period (current)
|
|
|
|
|
- ZSK_n is the ZSK key that's going to be used for the period after
|
|
|
|
|
ZSK_c is used (next)
|
|
|
|
|
|
|
|
|
|
1. On rotation day, generate ZSK_n and add its DNSKEY RR to the zone
|
|
|
|
|
2. Remove DNSKEY RR for ZSK_p from the zone
|
|
|
|
|
3. Sign DNSKEY RRs with KSK
|
|
|
|
|
4. Sign rest of the zone with ZSK_c
|
|
|
|
|
5. Publish signed zones, which includes:
|
2020-12-27 16:47:54 +01:00
|
|
|
- DNSKEY RRs for ZSK_p, ZSK_c and ZSK_n signed by KSK
|
2020-12-23 17:40:44 +01:00
|
|
|
- Every other RR signed by ZSK_c
|
2020-12-27 16:47:54 +01:00
|
|
|
- Does not include any RRSIG signed by ZSK_p
|
|
|
|
|
6. After cache expires, delete ZSK_p DNSKEY RR.
|
2020-12-23 17:40:44 +01:00
|
|
|
|
|
|
|
|
NSEC3PARAM
|
|
|
|
|
----------
|
|
|
|
|
|
|
|
|
|
On ZSK rotation day, generate a new salt with
|
|
|
|
|
|
|
|
|
|
openssl rand -hex 11
|
|
|
|
|
|
|
|
|
|
and replace the current salt in the zone.
|
|
|
|
|
|
|
|
|
|
KSK
|
|
|
|
|
---
|
|
|
|
|
|
|
|
|
|
TBD
|
|
|
|
|
|
|
|
|
|
PGP
|
|
|
|
|
===
|
|
|
|
|
|
|
|
|
|
Main key
|
|
|
|
|
--------
|
|
|
|
|
|
|
|
|
|
TBD
|
|
|
|
|
|
|
|
|
|
Git signing key
|
|
|
|
|
---------------
|
|
|
|
|
|
|
|
|
|
TBD
|
|
|
|
|
|
|
|
|
|
SSH
|
|
|
|
|
===
|
|
|
|
|
|
|
|
|
|
1. Move current key set to `old/` directory
|
|
|
|
|
2. Change `~/.ssh/config` to also try keys from `old/` directory
|
|
|
|
|
3. Generate new key set
|
|
|
|
|
4. SSH to target machine and add new key to `~/.ssh/authorized_keys`
|
|
|
|
|
5. SSH again, with `-v` to confirm that the new key is being used
|
|
|
|
|
6. Change `~/.ssh/config` back to stop trying keys from `old/` directory
|
|
|
|
|
|
|
|
|
|
Key set:
|
|
|
|
|
- Own infra
|
|
|
|
|
- 3rd party infra
|
|
|
|
|
- Git-over-SSH
|
