[Opendnssec-develop] Deactivating old KSK

Sion.Lloyd at nominet.org.uk Sion.Lloyd at nominet.org.uk
Mon Nov 2 12:03:37 UTC 2009

> Am I correct if I say that old KSK are currently automatically
> deactivated in accordance with the rollover algorithm?
> It should only be deactivated once the user has had the chance to
> publish the new DS to its parent. Shouldn't the rollover process be
> a two-step rocket?
> First make a new key active.
> And then deactivate the old key on the command by the user (or any
> script running on the machine) when the new DS is published.

There are 3 strategies for ksk rollover described in
draft-morris-dnsop-dnssec-key-timing-01 (

Should it be a configurable option as to which one the user wants?


More information about the Opendnssec-develop mailing list