Automation of DNSSEC DS record rollover

DNSSEC Delegation Signer (DS) Record is a DNS record hosted on Top Level Domains (TLDs) and the Root DNS zone. It is used in DNSSEC to construct a chain of trust between zones and their child zones. For example, there is a DS record for the zone “infoblox.com” hosted in the Name Server of the TLD zone “com”, in turn, there is a DS record for “com” hosted in the Name Server of the root zone “.”

 The DS record for a zone is equal to a hash value of its public Key Signing Key (KSK). For example, the DS record for “infoblox.com” is equal to a hash of the public KSK for this zone.

The issue

 Upon a rollover of the KSK of a DNSSEC signed zone like “infoblox.com”, we must update the Name Server for the zone “com” with the new DS. This operation is still a manual one and this is where the issue is. The IT department of the organisation must remember to send the new DS value to their ISP, which in turn manages the update of the DS record on the “com” zone.

In my experience, reputable organisations have abstained from adapting DNSSEC altogether due to this shortcoming. Their concern is: “What happens if we forget to update our DS record at the TLD zone? Especially after having prompted our clients to use DNSSEC validation of our DNS record values for enhanced security purposes.”

The Future

 If we can automate the transfer of the new DS record to the Name Server of the parent zone, then DNSSEC itself can be transferred encouraging organisations to adopt it in a set and forget manner.