[Opendnssec-develop] Deactivating old KSK

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Nov 3 13:28:38 UTC 2009

Hash: SHA256

> The problem with a fully-automated system here is that although
> OpenDNSSEC can start publishing the new KSK in the zone, it has no way
> of knowing whether the DS record has been submitted to the parent (or
> even that the KSK rollover has been noticed by the operator).
> I would suggest that the following requires a minimum amount of work to
> the enforcer:
> a) New KSK is introduced into the zone automatically and messages
> appears in the logs. (This already happens.)
> b) At some time, the new key moves into the "active" state and the old
> key into a "retire" state. In these states, both keys continue to be
> published. However, the enforcer is altered so as to set the amount of
> time the KSK stays in the "retire" state to some very large value.
> c) The operator is required to acknowledge that the DS record has
> appeared in the parent.  This new command resets the retire time of the
> KSK to:
>      max(TTL of record in parent zone + estimate of propagation delay
> through parent zone,
>          TTL of record in this zone + estimate of propagation delay
> through this zone) +
>          safety margin
> d) The old KSK is not removed until the retire time has expired.  (In
> other words, we protect the user by keeping the old KSK in the zone for
> long enough to guarantee that the old DS and DNSKEY RRsets have expired
> from all validators.)
> (Note that step (c) may occur before step (b), in which case step (b)
> should not reset the retire time.)


So we are missing step c (and the large value part of b) in OpenDNSSEC. Which I think we need before v1.0.

Should I create a Pivotal story about this?

// Rickard

Version: 9.8.3 (Build 4028)
Charset: utf-8


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091103/96e7800e/attachment.htm>

More information about the Opendnssec-develop mailing list