ADC

Use case: How to revoke a compromised active key

Perform the following procedure to revoke the compromised active key.

Point to note:

  • Overlap period: To facilitate a smooth transition, we recommend you to have an overlapping time during which both old and new keys are active.
  • DNSKEY TTL values: TTL determines the duration DNS records are cached. Set appropriate TTL values to allow for new key activation.
  • Propagation time: When planning to revoke a compromised key, make sure to consider the time needed for the new key to be updated on all GSLB sites before it can be used.
  • Delay in updating parent zone: When updating DS records in the parent zone, be aware of potential delays. These delays can impact your domain’s security and reliability. Registrars have specific timelines and requirements for updating DS records in the parent zone.

In this use case, the existing keys are key 1 and key 2. Key 1 is active and is used to sign the DNSKEY RRSET. Key 2 is the stand-by key, it is in the DNSKEY RRSet but was not used to sign the RRSet. When the active key (key 1) is compromised, perform the following:

  1. Create a key 3

    At the command prompt, type:

    create dns key -zoneName example.com -fileNamePrefix Key3.ksk -keytype ksk -keysize 1024 -algorithm rsASHA256
<!--NeedCopy-->
  1. Activate the key 2 using the sign zone command. At the command prompt, type:
    sign dns zone example.com -keyName Key2.ksk 
    Done

<!--NeedCopy-->
  1. Update the DS record for the new key in the parent zone.

  2. Verify whether the new key is updated in all GSLB sites.

  3. Revoke the compromised active key (key 1)

    At the command prompt, type:

    set dns key Key1.ksk -revoke

  4. Monitor the DNSSEC key status

  5. Delete the compromised key (key 1)

    Note:

    If you revoke the key (key 1), it remains in the system unless you explicitly delete it. When the auto-rollover option is set, the system auto-rollovers the key after the configured expiration date if you do not delete it manually. During the auto-rollover process, a new key is created for you to use based on your needs.

    At the command prompt, type:

    rm dns key Key 1

    Key 2 is now the active key and key 3 is the stand-by key

Note:

The revoke procedure is the same for ZSK keys, except for updating the parent zone after deleting the key.

Use case: How to revoke a compromised active key

In this article