News | 16.08.2016

DNSSEC: New Hardware, New Key

After five years of productive operation with DNSSEC and the preceding testbed, time had come to replace the cryptographic hardware (Hardware Security Module, HSM) used for signing the .de zone. Since the private DNSSEC keys cannot – by definition – be read out from the HSM, the new HSM brings along new keys. This time a new Key Signing Key (KSK). While the Zone Signing Keys (ZSK) are already being replaced every five weeks, this is the first time for us to perform a complete KSK rollover. In the future, KSK rollovers will be implemented as required.

Need for Action: None
We have performed this action applying the "Double-DS" scheme as defined in RFC 6781, which is fully transparent for the validating resolver. With this scheme, two DS records remain valid for DE in the root zone for a transition period. "Double DS" is particularly suited when replacing the KSK and the HSM at the same time because it does not need double KSK signatures.

Dreams of the Future: Elliptical Curves
We have maintained the cryptographic parameters, in particular the algorithm (RSA) and the key length (2048 bit). Even though new solutions like elliptical curves (EC) offer advantages due to significantly reduced signature length, we think it is too early to switch to this solution at the TLD level. DENIC is involved in the related discussion in the standardisation and the operative communities.

Since September 2015, DENIC supports the registration of ECDSA and GOST keys for second level domains. About 250 of the currently roughly 50,000 signed .de domains make use of this EC procedure.

Good to know:
Also for the root zone, a KSK rollover is coming up. At present we are planning an implementation that will be finished in early 2018. An update of the root trust anchor is mandatory in this context for each validating resolver. The operators of these resolvers should obtain information from ICANN in due time and carry out the necessary update, if required.