[Opendnssec-develop] Deactivating old KSK

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Nov 3 10:33:52 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> It does strike me that we need to get this sorted out fast though (i.e.
> before 1.0).  In particular, the documentation should describe the
> steps involved in doing a KSK rollover.

I was having a look on the documentation for the KSK rollover. You can issue to command but there is more to it. We are lacking the possibility to notify the system that it is safe to deactivate the old KSK.

So my statement is that there is no fully automatic solution for KSK rollover. Since we need interaction with our parent. Or in the case of the root, you need to distribute the new trust anchor. Before we can deactivate the old KSK.

But OpenDNSSEC do act as if there KSK process is fully automatic...

I think that you never can solve this by using a timer. E.g. a configurable time interval for the DS distribution.

We need a command for this.

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSvAHEOCjgaNTdVjaAQgNVAgApxTtibhTDsU8FuO+TM2IXs5R1r+cHwWH
PRoTCT+1cSUfucTnudxFTaYIv2diGY5/OjgBnNbzg3+DPplFPbiBS7RNNSMrJFi/
NFA4bjUSydE+x2xvLTg/N2Kx6Nkl9fCvxLmqDG9Wp542QOYMaKcseDoANFilm0kC
osm/0sPhIhBMD0HNW0zkQS4sF5L3CWekyTiN3i07pc5gRXG6l7saOKheVR6ZRDRT
fx/Fyc+/XmbbMUER3p5YWpZr0h2zxzLXQCQceFnmcoT9nW3rebaOf5+TNJ1pdbdA
/gEBMRKYJ9nXw9UK6Uu7yaRqo2Ey8FusVn30qEal7pPNmI+/CyFasg==
=H3UV
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091103/dbdba963/attachment.htm>


More information about the Opendnssec-develop mailing list