Perform a Pre-Published ZSK Rollover
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Tip
This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.
Use the following procedure to perform a pre-published ZSK rollover.
Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Performing pre-published ZSK rollover
In this procedure, ZSK1 and KSK1 denote the keys that are currently used to sign the zone. ZSK2 and KSK2 denote the new keys that will be generated using this procedure. All signing operations must continue to use KSK1 to sign the records at the apex in addition to the appropriate ZSK.
The following table provides a list of step to use when performing a pre-published ZSK rollover.
| Step | Description | Command |
|---|---|---|
Step 0 |
The zone has been signed with KSK1 and ZSK1. For more information, see Sign a Zone File. |
The zone has been signed with a specified validity period using /ValidFrom and /ValidTo parameters. |
Step 1 |
Generate the new key, ZSK2. For more information, see Generate Key Pairs. |
DnsCmd /OfflineSign /GenKey |
Step 2 |
Identify the TTL value of the DNSKEY RRset in the zone (DNSKEY_TTL) and the maximum zone TTL (MaxZone_TTL). |
|
Step 3 |
Add the new key to the zone and re-sign the zone with KSK1 and ZSK1, using /addkey with ZSK2. Note that ZSK2 is not used to sign the zone. For an example, see Zone signing commands. |
DnsCmd /OfflineSign /SignZone Use /signkey twice, once with ZSK1 and once with KSK1. Use /addkey to add ZSK2 to the zone. |
Step 4 |
After re-signing, wait for a period of time equal to the MaxZone_TTL value. |
|
Step 5 |
After the period of time specified in MaxZone_TTL has elapsed, re-sign the zone with ZSK2, using /addkey with ZSK1. Note that ZSK1 is not used to sign the zone. For an example, see Zone signing commands. |
DnsCmd /OfflineSign /SignZone Use /signkey to sign the zone with ZSK2. Use /addkey to add ZSK1 to the zone. |
Step 6 |
Wait for a period of time equal to the MaxZone_TTL value. |
|
Step 7 |
After the period of time specified in MaxZone_TTL has elapsed, re-sign the zone with KSK1 and ZKS2. This will delete ZSK1 from the zone. For an example, see Zone signing commands. |
DnsCmd /OfflineSign /SignZone Use /signkey twice with ZSK2 and KSK1. Use /ValidFrom and /ValidTo parameters to specify the validity period for ZSK2. |
Zone signing commands
The following are example zone signing commands used when performing a pre-published ZSK rollover.
Step 3: Re-sign the zone with KSK1 and ZSK1, adding ZSK2:
DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /cert /friendlyname ksk1-<zone name> /signkey /cert /friendlyname zsk1-<zone name> /addkey /cert /friendlyname zsk2-<zone name>Step 5: Re-sign the zone with ZSK2, adding ZSK1:
DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /cert /friendlyname zsk2-<zone name> /addkey /cert /friendlyname zsk1-<zone name>Step 7: Re-sign the zone with KSK1 and ZSK2, deleting ZSK1 and providing a new ZSK validity period:
DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /cert /friendlyname ksk1-<zone name> /signkey /ValidTo <validtodate> /ValidFrom <validfromdate> /cert /friendlyname zsk2-<zone name>
| Value | Description |
|---|---|
dnscmd |
The command-line tool for managing DNS servers. |
/OfflineSign |
Required. Used with the GenKey, DeleteKey, ImportKey, or SignZone commands to modify certificates and keys or to sign a zone file. |
/SignZone |
Required. Used to sign a zone file. |
/input |
Required. Used with <input filename> to designate the zone file to be signed. |
<input filename> |
Required. The file name of the zone file to be signed. |
/output |
Required. Used with <output filename> to designate the name of the zone file after it has been signed. |
<output filename> |
Required. The file name of the signed zone. |
/Zone |
Required. Used with <zone name> to specify the fully qualified domain name (FQDN) of the zone. |
<zone name> |
Required. The FQDN of the zone. |
/Signkey |
Required. Specifies the key that will be used to sign the zone. |
/Addkey |
Optional. Specifies the key will be added to the zone, but will not be used to sign the zone. |
/ValidFrom |
Optional. Used with <validfromdate> to specify the start time of the validity period of RRSIG records created using this key. If not specified, the validity period will start one hour prior to the current UTC time. |
<validfromdate> |
Optional. Specifies the UTC start time of the validity period in YYYYMMDDHHMMSS format. |
/ValidTo |
Optional. Used with <validtodate> to specify the end time of the validity period of RRSIG records created using this key. If not specified, the validity period will end 30 days from the start of the validity period for zone signing keys or 13 months from the start of the validity period for key signing keys. |
<validtodate> |
Optional. Specifies the UTC end time of the validity period in YYYYMMDDHHMMSS format. |
/Cert |
Required. Specifies that keys are stored in a certificate. |
/FriendlyName |
Used with KSK-<zone name> or ZSK-<zone name> to specify the friendly name of the self-signed certificate. |
KSK1-<zone name> |
Specifies the friendly name of the self-signed certificate used with the existing KSK prior to rollover. |
ZSK1-<zone name> |
Specifies the friendly name of the self-signed certificate used with the existing ZSK prior to rollover. |
ZSK2-<zone name> |
Specifies the friendly name of the self-signed certificate used with the new ZSK that will be used following rollover. |
See Also
Concepts
When to Re-sign a Zone File
Appendix C: DNSSEC PowerShell Scripts