Rolling Over a Key-Signing Key (KSK)

DNSSEC key-signing keys (KSKs) require annual rollover and key promotion.

KSK rollover begins annually when a replacement DNSSEC key version is automatically created. You need to complete the rollover process manually. You're notified that the new key version requires promotion in the Console. To avoid a service disruption, we also recommend that you set up alarms to ensure that you perform all required key rollovers on time. See DNSSEC for more information.
    1. Open the navigation menu and click Networking. Under DNS management, click Zones.
    2. Click the zone name in the list to open its Details page.
    3. In the zone, under Resources, click DNS security extensions.
    4. In the DNSSEC list, verify that the KSK for the zone has a status of Needs Promotion.
      Note

      You can rollover a KSK sooner than the default 1 year period. Click the key's Actions menu (Actions Menu) and then click Stage replacement key version. A new KSK is created.
    5. Create a new DS record containing the new (KSK) information to the parent zone. The parent zone can be an OCI zone, or a zone in another provider:
      1. In the zone, under Resources, click DNS security extensions.
      2. In the Promote KSK infoblock, choose the data type:
        • Structured: Digest fields are copied separately. Choose this option if the parent zone DNS provider requires separate input for each field in the DS record.
        • Unstructured: Digest fields are copied into a single string. Choose this option if the parent zone DNS provider allows presentation format input for the DS record.
      3. Click Copy to copy the digest information and the recommended TTL (time to live) information.
      4. Paste the DS record digest information into a DS record for the zone. If the zone is an OCI zone, see Adding a Record to a DNS Zone for instructions.
      5. Click Promote new key-signing key.
    6. Remove the old DS record containing the old (KSK) information from the parent zone.
      Important

      To avoid service disruptions, after the new DNSKEY record is created you must wait until the DNSKEY record's TTL expires before removing the old DS record.
  • Use the zone stage DNSSEC key version command o stage a new key:

    oci dns zone stage-dnssec-key-version --zone-name-or-id zone_name or zone_OCID --predecessor-dnssec-key-version-uuid previous-key-ID ... [OPTIONS]

    Use the zone promote DNSSEC key version command to promote the staged key:

    oci dns zone promote-dnssec-key-version --zone-name-or-id zone_name or zone_OCID --dnssec-key-version-uuid key-ID ... [OPTIONS]

    For a complete list of flags and variable options for CLI commands, see the CLI Command Reference.

  • Run the stageDnssecKeyVersion operation to stage a new key. Run the promoteDnssecKeyVersion to promote the staged key.