Add some notes about key rotations

This commit is contained in:
Lucas 2020-12-23 16:40:44 +00:00
parent 0b072ec399
commit 9fef01eb0c
No known key found for this signature in database
GPG Key ID: 5DBF6E3FFBF257DD

View File

@ -0,0 +1,62 @@
DNSSEC
======
ZSK
---
Assumes:
- ZSK_p is the ZSK key in retirement (previous)
- ZSK_c is the ZSK key that's going to be used for this period (current)
- ZSK_n is the ZSK key that's going to be used for the period after
ZSK_c is used (next)
1. On rotation day, generate ZSK_n and add its DNSKEY RR to the zone
2. Remove DNSKEY RR for ZSK_p from the zone
3. Sign DNSKEY RRs with KSK
4. Sign rest of the zone with ZSK_c
5. Publish signed zones, which includes:
- DNSKEY RRs for ZSK_c and ZSK_n signed by KSK
- Every other RR signed by ZSK_c
- Does not include ZSK_p DNSKEY RR nor any RRSIG signed by ZSK_p
NSEC3PARAM
----------
On ZSK rotation day, generate a new salt with
openssl rand -hex 11
and replace the current salt in the zone.
KSK
---
TBD
PGP
===
Main key
--------
TBD
Git signing key
---------------
TBD
SSH
===
1. Move current key set to `old/` directory
2. Change `~/.ssh/config` to also try keys from `old/` directory
3. Generate new key set
4. SSH to target machine and add new key to `~/.ssh/authorized_keys`
5. SSH again, with `-v` to confirm that the new key is being used
6. Change `~/.ssh/config` back to stop trying keys from `old/` directory
Key set:
- Own infra
- 3rd party infra
- Git-over-SSH