KSK Rollover using CDS & CDNSKEY Key Rollover

If the upstream registry supports RFC 7344 key rollovers you can use several pdnsutil commands to do this rollover. This HowTo follows the rollover example from the RFCs Appendix B.

We assume the zone name is example.com and is already DNSSEC signed.

Start by adding a new KSK to the zone: pdnsutil add-zone-key example.com ksk 2048 inactive. The “inactive” means that the key is not used to sign any ZSK records. This limits the size of ANY and DNSKEY responses.

Publish the CDS records: pdnsutil set-publish-cds example.com, these records will tell the parent zone to update its DS records. Now wait for the DS records to be updated in the parent zone.

Once the DS records are updated, do the actual key-rollover: pdnsutil activate-zone-key example.com new-key-id and pdnsutil deactivate-zone-key example.com old-key-id. You can get the new-key-id and old-key-id by listing them through pdnsutil show-zone example.com.

After the rollover, wait at least until the TTL on the DNSKEY records have expired so validating resolvers won’t mark the zone as BOGUS. When the wait is over, delete the old key from the zone: pdnsutil remove-zone-key example.com old-key-id. This updates the CDS records to reflect only the new key.

Wait for the parent to pick up on the CDS change. Once the upstream DS records show only the DS records for the new KSK, you may disable sending out the CDS responses: pdnsutil unset-publish-cds example.com.