| Domain Signing |
| KSK Management |
| ZSK Management |
| .gov Registrar Key Monitor |
The recommended .gov zone signing procedures are here.
How do I unsign a .gov domain?
To unsign a domain, view the 'Active Keysets' for a domain and at the bottom, click and confirm the 'Unsign Domain' link.
When do I have to sign my .gov domains?
The OMB is requiring all Federal .gov domains to be signed by December 2009. State, Native Sovereign Nation, and Local government domains are not required to sign with DNSSEC.
Can I have a government contractor or ISP sign my .gov domains?
Yes. The trust model in place for .gov domains is with the POCs. Therefore, the initial
KSK must be uploaded manually by a POC to ensure this is signed by the
personnel responsible for the domain. We have made this very simple. All KSKs
from the keyset-*.gov files that are generated as a result of the initial successful
signing can be concatenated together by your contractor and emailed to you.
These are public keys and are not sensitive.
Upon receipt, you may log into www.dotgov.gov and upload this text file. The
keys are tested, and validated against the operational domain. If they pass, then
the domain(s) is/are signed. Future KSK rollovers will be automated because this
initial KSK will be used for validation of future KSKs and ZSKs found in the domain.
You may turn off this automation and manually upload your KSK each time. This
may be desireable if you do outsource the DNS operations and need to maintain
authority and trust within the government agency.
How do I add or change zone records after it is signed?
Here are the steps:
1. Add the record to the unsigned version of the zone file.
2. Add the $include lines to your KSK and ZSKs into this file.
3. Increment the SOA Serial Number to make this version unique.
4. Resign the zone file.
5. Overwrite the .signed file on all authoritative name servers.
6. Restart the name service on each authoritative name server.
You may wish to sign with your pre-published ZSK at this time and retire the current ZSK. If so, create a new prepublished ZSK, update the $include statements and zone signing command with correct ZSKs to roll the active ZSK.
What is the KSK and how is it used?
The Key Signing Key (KSK) is used as the trust anchor by validating name servers. The .gov distributes this key on your behalf to DNS queries that request it using Designated Signer Resource Records. NIST recommends rolling the KSK every 2 years.
How do I change from NSEC KSK keys to NEC3 KSK keys?
To change key algorithms, we suggest you follow the KSK rollover procedures detailed here.
Where do I find the .gov public KSK (trust anchor) and how do I use it?
The .gov public key can be dowloaded here. You place it in a 'trusted-keys' file to be used by a recursive DNS validator.
How do I publish my domain's public KSK?
To sign a .gov domain, you upload the public KSK into the www.dotov.gov website. If you keep the default options, the .gov Registrar Monitor service will monitor your zone for key rollovers and automatically publish future keys.
- Generate a new KSK
- Include this key in your zone file and double sign file with old and new KSKs
- If you are using the .gov Registar Monitor service, wait up to 24 hours for
an email notification that new KSK was found and a DS RR was added to the .gov TLD.
If you are not using our monitor, upload the new KSK keyset to the www.dotgov.gov website to create a DS RR on the TLD. - Continue double signed for up to 2*TTL + 1 Day while DNS propagates.
- Remove old KSK from zone file and single sign only with new KSK.
What are the steps to perform an emergency or compromised KSK rollover procedure?
- Generate a new KSK and double sign zone with the compromised KSK in the key set.
- Sign the key set using a -e +3600 expiration or 1 TTL, whichever is smaller. The validity period should expire shortly after the DS RR is expected to appear in the .gov TLD.
- Upload the keyset of the new KSK to the www.dotgov.gov web site.
- Email or call the .gov Registrar helpdesk and ask for an immediate KSK Roll and TLD update.
- Upon receipt of the automated DS RR email message from the www.dotgov.gov system, wait 1 TTL period and then Remove the compromised DNSKEY RR from the zone and re-sign the key set using your stardard validity interval.
- Log into www.dotgov.gov and select Unsign Domain for this domain.
- Immediately after unsigning domain, upload the new keyset for this domain to force a rollover on the TLD.
What are the steps to perform a lost KSK rollover procedure?
A lost KSK will likely cause SERVFAIL errors so wait until Friday or Saturday morning to minimize disruption:
- Generate a new KSK and sign zone with the new KSK and existing ZSKs.
- Log into www.dotgov.gov and select Unsign Domain for this domain.
- If using the .gov Registrar Monitor, wait for the standard Key Monitor email message notifying you of the DS RR creation and publish event.
- (alternate) If no .gov Registrar Monitor service is enabled for this domain, then upload the keyset for the new KSK manually.
- Wait 1 TTL period before possible SERVFAIL errors cease.
What is the ZSK and why do I need it?
Having a KSK and a ZSK simplifies the key rollover process. It is possible to sign a domain with a single key, but it requires a lot more interaction with the .gov TLD.
How often should I roll my ZSK?
NIST recommends rolling the ZSK every 30 to 90 days.
Why do the .gov zone signing instructions have me create 2 ZSKs?
Since the ZSK rolls more frequently, prepublishing a future ZSK during a rollover cuts the labor in half.
What are the steps to perform a prepublish ZSK rollover on the .gov TLD?
- Generate a new ZSK
- Include this key in your zone file and continue to single ZSK sign file with old ZSK and KSK
- If you are using the .gov Registar Monitor service, wait up to 24 hours for an email notification that new ZSK was found in your zone and if it meets minimum standards.
- Continue prepublished for up to 2*TTL + 1 Day while DNS propagates.
- Remove old ZSK from zone file and single sign with prepublished ZSK and existing KSK.
- (Optional) Generate new ZSK and prepublish by replacing old ZSK prior to step 5 to cut labor in half and return to repeat this step and 5 whenever a ZSK rollover is needed.
Do I need to upload my domain's public ZSK to the .gov TLD?
No. Only the KSK creates the chain of trust between the .gov TLD and your domain.
What is the .gov Registrar Key Monitor and what does it do?
The .gov Registrar Key Monitor tests signed domains for issues that need attention or key rollover events. When the Monitor finds a new KSK in use, it automatically publishes a Designated Signer Resource Record to the .gov TLD. The Admin POC and Technical POC are both sent an email if there is an issue or event identified by the monitor.
When I opt-out of the .gov Registrar Key Monitor Service, what does that mean?
If you choose to opt-out of the .gov Registrar Key Monitor Service, then daily key checks do not occur and new Key Signing Keys (KSKs) must be manually published to the www.dotgov.gov web site.
 |