[Opendnssec-develop] Deactivating old KSK

sion at nominet.org.uk sion at nominet.org.uk
Thu Nov 5 06:03:53 UTC 2009

> So we are missing step c (and the large value part of b) in
> OpenDNSSEC. Which I think we need before v1.0.

So this is what I am going to do:

1) Change the default time that a KSK is in the retire state to INT_MAX - 1
2) Create an ods-ksmutil command ("ds removed --zone <zone>"? do we need a
--policy version?)
      this will set the dead time to:

"now" + max(TTL of record in parent zone + estimate of propagation delay
through parent zone, TTL of record in this zone + estimate of propagation
delay through this zone) + safety margin

Note that all of these variables are already part of the kasp.xml.

I'm assuming that if a key is rolled manually then "ods-ksmutil ds removed"
will still be called at some point.

If anything here surprises you, or if you think that I have left anything
out then please let me know.


More information about the Opendnssec-develop mailing list