DNSSEC Key Rotation (ZSK and KSK) in Cloudflare

I would like to know if there is a mechanism to rotate the ZSK and KSK in the domains that enabled DNSSEC.

Of course ZSK rotation is easy and should be automatically rotated within Cloudflare. However, KSK rotation needs user action to update the new DS records to domain registrar.

It is not very secure if KSK is kept static for months and years, and HKIRC also suggest to rotate every year. We do have KSK rotation using double-signature mechanism before migrating to Cloudflare, but we do not see any clues or hints if this can be set in Cloudflare.

Hope anyone can give information regarding this.

I’m not aware of any mechanism to accomplish key rotation within Cloudflare at this time.

EDIT: And if I’m wrong, I’d love to know about it. But the user largely has to be involved because of the registrar update requirement. There are a couple schemes attempting to automate this, but I’m not aware of anything deployed widely enough to be used.

1 Like