[Opendnssec-develop] KSK rollover

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Dec 8 14:29:37 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi

As noted on the user's list, we got some suggestions that we should use double signatures for KSK rollover. Because most people would like to change the DS records only one time. Do we agree?

Currently we do (something like this):
ods-ksmutil key rollover --zone example.com --keytype KSK
- - Publish new key
ods-ksmutil key ksk-roll
- - Make new key active. Retire old key.

Suggested solution:
ods-ksmutil key rollover --zone example.com --keytype KSK
- - Publish new key. Make new key active (when key is ready).
ods-ksmutil key ksk-roll
- - Retire old key.

Should we do this for version 1? Would it be difficult?

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSx5i0eCjgaNTdVjaAQh9Vgf/Ur7bsKZRHrx5cbxEVMkYSJrx1iDzaDy1
wbEQeRnMhVjBusfiU8tSN3DDZeebo10YVyc2lx5jWos0dz32ygO0vL+cxpEqTZcR
G1NCDbw/vTlqq591AbY2nyAMGnnl6hyERRoB2LmEWnfU/pR9LJ6sZTj4o0vNrx1q
+R9SxOvINnEDuQgbypUB/+5Tm/n0el1n4ozBbNh+C2xqd0sHE3rKJOs/CsCFzhnB
eC+25/wZo0ZjA1nBMts6qPoElrwKa4JRTXbItp44H27RK2pPAoTAW5mjeIWaupJb
znTzb6wdV5igA1fgLcfszKohyTbyzNnOUXGGkCwvtwY29tRP0Q5HQg==
=oYDA
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091208/146ff440/attachment.htm>


More information about the Opendnssec-develop mailing list