Identify the Rollover Mechanism
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.
Key rollover is the process by which a key is replaced with a new key and associated signatures are updated. Before you sign a zone, you must identify the rollover mechanisms that is best suited for your organization.
To review the advantages and disadvantages associated with different key management options, see Key rollover.
For definitions of the terms used to describe key rollover mechanisms, see DNSSEC Terminology.
For detailed information about key rollovers mechanisms, see section 4.2 of RFC 4641.
Key rollover mechanisms
To make zone re-signing and key rollover procedures easier to implement, it is possible to use one or more keys as Key Signing Keys (KSKs). These keys will only sign the apex DNSKEY Resource Record Set (RRSet) in a zone. Other keys can be used to sign all the RRSets in a zone and are referred to as Zone Signing Keys (ZSKs).
This document assumes that KSKs are the subset of keys that are used for key exchanges with the parent and potentially for configuration as trusted anchors or Secure Entry Point (SEP) keys. A one-to-one mapping is assumed between KSK and SEP keys, with the SEP flag assumed to be set on all KSKs.
To facilitate key rollover, a signed zone may operate with multiple keys (old and new) until the old keys are no longer in use and can be removed. The following two methods can be used to allow a signed zone to use multiple keys:
Pre-published rollover. When you use the pre-published method, a new ZSK or KSK is introduced into the DNSKEY RRSet along with the existing keys. When the new keys have propagated, the zone is re-signed with the new key. The old key can then be removed from the DNSKEY RRSet.
Double signature rollover. When you use the double signature method, more than one key is used in signing.