env/procedures/key-rotation.txt

64 lines
1.3 KiB
Plaintext

DNSSEC
======
ZSK
---
Assumes:
- ZSK_p is the ZSK key in retirement (previous)
- ZSK_c is the ZSK key that's going to be used for this period (current)
- ZSK_n is the ZSK key that's going to be used for the period after
ZSK_c is used (next)
1. On rotation day, generate ZSK_n and add its DNSKEY RR to the zone
2. Remove DNSKEY RR for ZSK_p from the zone
3. Sign DNSKEY RRs with KSK
4. Sign rest of the zone with ZSK_c
5. Publish signed zones, which includes:
- DNSKEY RRs for ZSK_p, ZSK_c and ZSK_n signed by KSK
- Every other RR signed by ZSK_c
- Does not include any RRSIG signed by ZSK_p
6. After cache expires, delete ZSK_p DNSKEY RR.
NSEC3PARAM
----------
On ZSK rotation day, generate a new salt with
openssl rand -hex 11
and replace the current salt in the zone.
KSK
---
TBD
PGP
===
Main key
--------
TBD
Git signing key
---------------
TBD
SSH
===
1. Move current key set to `old/` directory
2. Change `~/.ssh/config` to also try keys from `old/` directory
3. Generate new key set
4. SSH to target machine and add new key to `~/.ssh/authorized_keys`
5. SSH again, with `-v` to confirm that the new key is being used
6. Change `~/.ssh/config` back to stop trying keys from `old/` directory
Key set:
- Own infra
- 3rd party infra
- Git-over-SSH