[Opendnssec-develop] Deactivating old KSK

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Nov 5 06:28:00 UTC 2009

I think we also need a policy version for those with many zones.

What will happen if you roll the key and there is no ready-key? The  
user takes the prepublished key and add this as a ds. Gives the ds  
command before the new key is ready.

Will it still work? Just so that the algorithm works as intended. And  
that we retire the old key when we should do it and not prematurely.

5 nov 2009 kl. 07.05 skrev "sion at nominet.org.uk" <sion at nominet.org.uk>:

>> So we are missing step c (and the large value part of b) in
>> OpenDNSSEC. Which I think we need before v1.0.
> So this is what I am going to do:
> 1) Change the default time that a KSK is in the retire state to  
> INT_MAX - 1
> 2) Create an ods-ksmutil command ("ds removed --zone <zone>"? do we  
> need a
> --policy version?)
>      this will set the dead time to:
> "now" + max(TTL of record in parent zone + estimate of propagation  
> delay
> through parent zone, TTL of record in this zone + estimate of  
> propagation
> delay through this zone) + safety margin
> Note that all of these variables are already part of the kasp.xml.
> I'm assuming that if a key is rolled manually then "ods-ksmutil ds  
> removed"
> will still be called at some point.
> If anything here surprises you, or if you think that I have left  
> anything
> out then please let me know.
> Sion

More information about the Opendnssec-develop mailing list