← Guides Directory

DNSSEC Key Management and Rotation

Learn how to manage DNSSEC keys, rotate them securely, and maintain your DNSSEC setup

Understanding Key Types

Key Signing Key (KSK)

  • • Long-lived (1-2 years)
  • • Signs Zone Signing Keys
  • • Creates DS records
  • • Requires parent zone update
  • • Less frequent rotation

Zone Signing Key (ZSK)

  • • Shorter-lived (3 months)
  • • Signs DNS records
  • • Creates RRSIG records
  • • No parent zone update needed
  • • More frequent rotation

Key Rotation Strategy

Regular key rotation is essential for DNSSEC security. Here's the recommended approach:

  1. ZSK Rotation (Every 3 months): Generate new ZSK, sign records with both old and new keys during transition, then remove old ZSK
  2. KSK Rotation (Every 1-2 years): Generate new KSK, update DS records in parent zone, maintain both keys during transition, then remove old KSK
  3. Overlap Period: Always maintain both old and new keys for at least one signature validity period (typically 2-4 weeks)

ZSK Rotation Process

  1. Generate new ZSK using your DNS software or provider
  2. Add new ZSK to DNSKEY records (both old and new ZSKs should be published)
  3. Re-sign all records with new ZSK (creates new RRSIG records)
  4. Wait for signature validity period (2-4 weeks) to ensure all resolvers have cached new signatures
  5. Remove old ZSK from DNSKEY records
  6. Verify DNSSEC validation still works

KSK Rotation Process

Important: KSK rotation requires coordination with your registrar to update DS records.

  1. Generate new KSK
  2. Add new KSK to DNSKEY records (both old and new KSKs published)
  3. Generate new DS record from new KSK
  4. Add new DS record to registrar (both old and new DS records should exist)
  5. Wait for DS record propagation (24-48 hours)
  6. Verify chain of trust works with new KSK
  7. Remove old DS record from registrar
  8. Wait for removal to propagate
  9. Remove old KSK from DNSKEY records

Key Lifecycle Management

Key Generation

Use algorithm 13 (ECDSAP256SHA256) for new keys. Ensure keys are generated with sufficient entropy and stored securely. Never share private keys.

Key Storage

Store private keys securely with appropriate access controls. Use hardware security modules (HSM) for production environments. Keep backups in secure, encrypted storage.

Key Revocation

If a key is compromised, immediately generate replacement keys and follow emergency rotation procedures. Remove compromised keys from DNSKEY records and update DS records at registrar.

Monitoring and Alerts

Set up monitoring for:

  • RRSIG expiration dates (alert 2 weeks before expiration)
  • Key rotation schedules
  • DNSSEC validation failures
  • DS record changes
  • DNSKEY record changes

Best Practices

  • Maintain a key rotation calendar and schedule
  • Test key rotation on non-production domains first
  • Document your key management procedures
  • Use automated tools when possible (most DNS providers handle this)
  • Keep detailed logs of all key operations
  • Have a rollback plan for failed rotations

Provider-Specific Notes

Cloudflare

Cloudflare handles key rotation automatically. You don't need to manually rotate keys, but you can view key information in the dashboard.

Route 53

Route 53 uses KMS for key management. Enable automatic key rotation in KMS settings. Key rotation is handled automatically by AWS.

BIND

Manual key rotation required. Use dnssec-keygento generate keys and dnssec-signzone to sign zones.

Next Steps

  • Set up key rotation schedule
  • Configure monitoring and alerts
  • Document your procedures
  • Use our timeline tool to track key events
  • Review best practices