[Opendnssec-develop] Deactivating old KSK

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Tue Nov 3 12:04:13 UTC 2009

Rickard Bellgrim <rickard.bellgrim at iis.se> wrote on 03/11/2009 10:33:52:

> > It does strike me that we need to get this sorted out fast though 
> > before 1.0).  In particular, the documentation should describe the
> > steps involved in doing a KSK rollover.
> I was having a look on the documentation for the KSK rollover. You can 
> to command but there is more to it. We are lacking the possibility to 
> the system that it is safe to deactivate the old KSK.
> So my statement is that there is no fully automatic solution for KSK 
> Since we need interaction with our parent. Or in the case of the root, 
> need to distribute the new trust anchor. Before we can deactivate the 
old KSK.
> But OpenDNSSEC do act as if there KSK process is fully automatic...
> I think that you never can solve this by using a timer. E.g. a 
> time interval for the DS distribution.
> We need a command for this.
> // Rickard

The problem with a fully-automated system here is that although OpenDNSSEC 
can start publishing the new KSK in the zone, it has no way of knowing 
whether the DS record has been submitted to the parent (or even that the 
KSK rollover has been noticed by the operator).

I would suggest that the following requires a minimum amount of work to 
the enforcer:

a) New KSK is introduced into the zone automatically and messages appears 
in the logs. (This already happens.)
b) At some time, the new key moves into the "active" state and the old key 
into a "retire" state. In these states, both keys continue to be 
published. However, the enforcer is altered so as to set the amount of 
time the KSK stays in the "retire" state to some very large value.
c) The operator is required to acknowledge that the DS record has appeared 
in the parent.  This new command resets the retire time of the KSK to:

     max(TTL of record in parent zone + estimate of propagation delay 
through parent zone,
         TTL of record in this zone + estimate of propagation delay 
through this zone) +
         safety margin

d) The old KSK is not removed until the retire time has expired.  (In 
other words, we protect the user by keeping the old KSK in the zone for 
long enough to guarantee that the old DS and DNSKEY RRsets have expired 
from all validators.)

(Note that step (c) may occur before step (b), in which case step (b) 
should not reset the retire time.)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091103/18dfdb25/attachment.htm>

More information about the Opendnssec-develop mailing list