[Opendnssec-develop] KSK Rollovers

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Fri Jul 3 12:46:16 UTC 2009 

Jakob Schlyter <jakob at kirei.se> wrote on 02/07/2009 19:26:27:

>> On 2 jul 2009, at 13.39, Stephen.Morris at nominet.org.uk wrote:
> 
> > a) Does KASP warn about a rollover?
> 
> I believe we should warn via syslog.

That will be fine, I asked the question just to ensure that this is done.



> > b) Does KASP notify the user when a KSK rollover is happening?
> 
> I believe we should warn via syslog here as well.

Again, that is OK.



> > And does it identify the DS record(s) that should be added to the 
> > parent zone?
> 
> it might be nice to log the keytag of the new KSK(s).
> 
> > c) Does the signer create the DS record in a way that it can be 
> > easily found?
> 
> at the last meeting in Amsterdam we decided that the signer should not 
> save the DS records in any file - the user can use drill or similar to 
> get data needed to send to the parent.

The DS record was my first thought.  Reading RFC 4310, I see that to 
create a DS record, EPP requires:

key tag
algorithm
digest type
digest
optional max sig lifetime
optional keydata

It is certainly not OpenDNSSEC's place to interface to EPP, but it is its 
responsibility to make the information easily available.  Asking the user 
to use a tool like "drill" feels like a step too far, although it is 
acceptable for the technology preview.  Instead, could KASP or the signer 
log the information in syslog? If this is in the form of an easily 
identifiable message, the user's systems could intercept those messages 
and automatically generate an EPP request to the parent.  (Which leads to 
a definition question: should it be KASP or should it be the signer that 
generates the message?)



> > d) Does KASP notify the user when a DS record should be removed from 
> > the parent zone? And how does it identify the key to be removed?
> 
> as soon as the new KSK gone active and all signatures been 
> regenerated, it could log this as well?

If it logs when a DS record (presumably identified by key tag) should be 
removed from the parent, the user's systems could intercept the message 
and issue the appropriate EPP update command.



> > In the longer term, do we also want to add the ability for 
> > OpenDNSSEC to check whether a DS record of a KSK is in the parent 
> > zone before we actually start signing the zone with the new key (as 
> > suggest in the KSK rollover algorithm in the key timing draft?)  At 
> > present, I believe the assumption is that the DS record will appear 
> > in the parent zone within some (configurable) interval of it be 
> > available to the operator.
> 
> right.
> 
>    jakob
> 

Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090703/f57a205f/attachment.htm>

More information about the Opendnssec-develop mailing list