is TSIG key rollover possible?

Wed Sep 16 05:08:44 UTC 2009

Hi everyone:

I was reading the document "Deprecation of HMAC-MD5 in DNS TSIG and TKEY
Resource Records"
(http://www.ietf.org/id/draft-ietf-dnsext-tsig-md5-deprecated-03.txt)
and I thought "Darn, I must be prepared to do a TSIG renovation", so
started researching how to do it.

First step was checking if BIND supported a different algorithm, but the
BIND ARM for BIND9.5 and 9.6 indicates "The algorithm, hmac-md5, is the
only one supported by BIND". That seemed strange, considering the
document indicated above was originally proposed in 2008. So I "used the
source" and found out other algorithms are supported in 9.5 and 9.6, so
there is a mistake in the documentation.

Anyway, TSIG rollover is an operation needed as indicated on RFC 2385:

-------------------- RFC 2385 quote -----------------------------
6.2. Secret keys should be changed periodically.  If the client host
   has been compromised, the server should suspend the use of all
   secrets known to that client.  If possible, secrets should be stored
   in encrypted form.  Secrets should never be transmitted in the clear
   over any network.  This document does not address the issue on how to
   distribute secrets. Secrets should never be shared by more than two
   entities.
-------------------- RFC 2385 quote -----------------------------

but again the documentation indicates: "Multiple keys may be present,
but only the first is used."

So, to coordinate the retirement of an old TSIG key and the introduction
of a new one, it seems a close coordination between peers is needed in
order to make it work, within a 'maintenance window' where the
operations using the TSIG are not executed (in my particular interest,
zone transfers)? Is it not possible to gradually introduce a new key,
use both for a period of time and later retire the old one, similar to
what is done in DNSSEC?

Any experience on this matter that could be shared publicly or privately
will be appreciated.

Kind Regards
Sebastian Castro