Managing DNSSEC keys with Simple DNS Plus

About DNSSEC key types:

RFC4641 (DNSSEC Operational Practices) defines two key types; "Key Signing Key" (KSK) and "Zone Signing Key" (ZSK).
Typically a zone is signed with both a KSK and a ZSK.
KSKs only sign the public key records (DNSKEY) for a zone, and usually have a long validity period (like 13 months).
KSKs are used as "Secure Entry Points" (SEP), and are referenced in parents zones through a delegation signature (DS-record).
ZSKs sign all the record sets in a zone, and usually have a shorter validity period (like 1 month).
ZSKs are not Secure Entry Points, and are not referenced directly in parent zones.
This setup allows a zone operator to change his keys (ZSKs) more frequently without having to update the delegation signature in the parent zone.
Note that when the signatures for either of these keys are about to expire, new keys and signatures must be added, so that in overlapping periods a zone might be signed by 3 or 4 different keys at the same time.

Simple DNS Plus also supports a 3rd key type - "Simple".
This is basically a combined KSK and ZSK - a key used as a Secure Entry Point and also to sign all record sets in a zone.
This is just a simpler model which may be easier to use in some scenarios - but of course doesn't provide the benefits of KSK/ZSK separation.

About DNSSEC key files:

When signing a zone (see reference articles below), Simple DNS Plus uses a "DNSSEC key file" containing the private/public key sets and various other options needed when signing.
Keeping this information in a separate file makes it easy to re-use the same keys for several zones, and it allows you to store keys off-line (as per the DNSSEC RFC recommendations), for example on a USB flash drive or floppy disk.
The DNSSEC key file format used by Simple DNS Plus is proprietary and cannot be used directly with other DNSSEC programs/tools - there is no standard specification for this.
However the file format is XML based and very simple. You can examine it with notepad or an XML file editor.

Managing DNSSEC keys and key files:

You can specify a default DNSSEC key file for a zone in the Zone Properties dialog / DNSSEC tab:

Image11.png

Creating or editing a DNSSEC key file (by clicking the "Create new" / "Edit" buttons either in the Zone Properties dialog / DNSSEC tab, or in the DNSSEC Sign Zone dialog), brings up the "DNSSEC Key File" dialog where you can edit individual key sets and specify other signing options:

Image12.png

DNSSEC key file dialog details:

  • Key Sets
    List of key sets which will be used to sign the zone(s).
  • Encrypt private keys for key sets
    • None / All / KSK only
      - None: private keys are not encrypted in the DNSSEC key file, and you will never be asked for a password when signing zones.
      - All: all private keys are encrypted in the DNSSEC key file, and you will always be asked for a password when signing zones.
      - KSK only: only private keys for KSK type key sets are encrypted in the DNSSEC key file. You will be asked for the password the first time you sign a zone, and then only whenever the key sets change (and the DNSKEY record set therefore needs the be resigned).
    • Password
      Sets or changes the password used the encrypt the private keys.
  • NSEC3
    When enabled, the signing process will use NSEC3 (RFC5155) instead of NSEC (RFC4034) for denial-of-existence data. NSEC3 is more secure and more flexible than NSEC, but not yet as widely supported.
    • Salt length
      Length of random salt value used to prevent dictionary attacks against NSEC3 records.
    • Iterations
      The number of additional hash calculations performed when calculating NSEC3 record names (higher number = more secure, but more taxing on DNS server).


When you add / edit a key set, the details are specified in the DNSSEC Key Set dialog:

Image13.png

DNSSEC Key Set dialog details:

  • Key set ID
    A unique ID (within the key file) for this key set.
    This is for identification only and can be anything you want.
    This is also added in the comment field on related signature DNS records.
  • Key set type
    Select the key set type - see discussion at the top of the page. RSA is recommend in RFCs.
  • Algorithm
    Cryptography algorithms used to calculate signatures.
  • Key size (bits)
    Key strength
  • Public key
    The public key in DNS zone file format - only available when editing existing key set.
  • Signatures expire
    When signatures created with this key set will expire.
    The RFCs recommend 13 months for KSKs, and 1 month for ZSKs.
  • DNSKEY only
    Check this if you don't want any record sets signed by this key set (but still include the DNSKEY record).
    This is typically used in "key pre-publish" scenarios.

REFERENCES:
For more information, please see the following knowledge base articles:

KB Article Check DNSSEC Signatures tool
KB Article How to DNSSEC sign a zone with Simple DNS Plus

Connect