Share via


Perform a Double Signature KSK Rollover

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Tip

This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

Use the following procedure to perform a double signature KSK rollover.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Performing double signature KSK rollover

In this procedure, ZSK1 and KSK1 denote the keys that are currently used to sign the zone. ZSK2 and KSK2 denote the new keys that will be generated using this procedure. All signing operations must continue to use ZSK1 to sign the zone data in addition to the appropriate KSK.

Step Description Command

Step 0

The zone has been signed with KSK1 and ZSK1.

For more information, see Sign a Zone File.

The zone has been signed with a specified validity period (using /ValidFrom and /ValidTo).

Step 1

Obtain the TTL of the DS record in the parent zone that corresponds to KSK1 (DS_TTL).

Step 2

Generate the new key that will be added, KSK2.

For more information, see Generate Key Pairs.

DnsCmd /OfflineSign /GenKey with /flags ksk

Step 3

Re-sign the zone with KSK1, KSK2, and ZSK1.

For an example, see Zone signing commands.

DnsCmd /OfflineSign /SignZone

Use /Signkey three times, once each with KSK1, KSK2, and ZSK1.

Step 4

Provide the new DS record set to the owner of the parent zone. The owner of the parent zone must replace the original DS set with the new dsset-<zone name> and keyset-<zone name> files that point to KSK2.

Provide dsset-<zone name> and keyset-<zone name> to the parent.

Step 5

After the parent has updated the record, wait for a period of time equal to the DS_TTL value.

Step 6

After the period specified in DS_TTL has elapsed, re-sign the zone with KSK2 and ZSK1.

For an example, see Zone signing commands.

DnsCmd /OfflineSign /SignZone

Use /signkey twice, once with KSK2 and once with ZSK1.

Use /ValidFrom and /ValidTo parameters to specify the validity period for KSK2.

Zone signing commands

The following are example zone signing commands used when performing a double signature KSK rollover.

  • Step 3: Re-sign the zone with KSK2 and KSK1, and ZSK1:

    DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /cert /friendlyname ksk2-<zone name> /signkey /cert /friendlyname ksk1-<zone name> /signkey /cert /friendlyname zsk1-<zone name>
    
  • Step 6: Re-sign the zone with KSK2 and ZSK1, providing a new KSK validity period:

    DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /ValidTo <validtodate> /ValidFrom <validfromdate> /cert /friendlyname ksk2-<zone name> /addkey /cert /friendlyname zsk1-<zone name>
    
Value Description

dnscmd

The command-line tool for managing DNS servers.

/OfflineSign

Required. Used with the GenKey, DeleteKey, ImportKey, or SignZone commands to modify certificates and keys or to sign a zone file.

/SignZone

Required. Used to sign a zone file.

/input

Required. Used with <input filename> to designate the zone file to be signed.

<input filename>

Required. The file name of the zone file to be signed.

/output

Required. Used with <output filename> to designate the name of the zone file after it has been signed.

<output filename>

Required. The file name of the signed zone.

/Zone

Required. Used with <zone name> to specify the fully qualified domain name (FQDN) of the zone.

<zone name>

Required. The FQDN of the zone.

/Signkey

Required. Specifies the key that will be used to sign the zone.

/Addkey

Optional. Specifies the key will be added to the zone, but will not be used to sign the zone.

/ValidFrom

Optional. Used with <validfromdate> to specify the start time of the validity period of RRSIG records created using this key. If not specified, the validity period will start one hour prior to the current UTC time.

<validfromdate>

Optional. Specifies the UTC start time of the validity period in YYYYMMDDHHMMSS format.

/ValidTo

Optional. Used with <validtodate> to specify the end time of the validity period of RRSIG records created using this key. If not specified, the validity period will end 30 days from the start of the validity period for zone signing keys or 13 months from the start of the validity period for key signing keys.

<validtodate>

Optional. Specifies the UTC end time of the validity period in YYYYMMDDHHMMSS format.

/Cert

Required. Specifies that keys are stored in a certificate.

/FriendlyName

Used with KSK-<zone name> or ZSK-<zone name> to specify the friendly name of the self-signed certificate.

KSK1-<zone name>

Specifies the friendly name of the self-signed certificate used with the existing KSK prior to rollover.

KSK2-<zone name>

Specifies the friendly name of the self-signed certificate used with the new KSK that will be used following rollover.

ZSK1-<zone name>

Specifies the friendly name of the self-signed certificate used with the existing ZSK prior to rollover.

See Also

Concepts

When to Re-sign a Zone File
Appendix C: DNSSEC PowerShell Scripts