“Sign and serve” DNSSEC

The “sign and serve” DNSSEC feature provides the ability to offload the support of DNSSEC entirely to Akamai's existing key management infrastructure (KMI) for the zone signing key (ZSK) and key signing key (KSK) rotation.

The ZSK is rotated weekly and the KSK is rotated annually. For zone key rotation, Akamai uses RFC 4641’s “prepublish key rollover” method, modified for constant rotation. That is, two ZSKs are present in the zone apex DNSKEY record. One key actively signs the rest of the zone; the other key is present so it has time to propagate before becoming active. This method specifically:

  • introduces a new, as of yet unused, DNSKEY record into the apex DNSKEY RRset.
  • waits for the data to propagate (propagation time plus keyset TTL).
  • switches to signing the zone’s RRSIGs with the new key, but leaving the previous key available in the apex DNSKEY RRset.
  • waits for propagation time plus maximum TTL in the zone.
  • removes the old key from the apex DNSKEY RRset, which will then restart the key rotation process.

Signature duration is three days. To be sure signatures don’t reach expiration, even if records are not being modified, the zone is re-signed at least once per day.

The added benefit of the “sign and serve” DNSSEC option is the ability to support top-level redirection. The current recommended algorithm is ECDSA-P256-SHA256, or RSA SHA-256 if you want to avoid the use of ECDSA.

DNSSEC can be used with both ZAM and top-level redirection.