[Opendnssec-develop] Deactivating old KSK

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Nov 5 13:44:07 UTC 2009

Hash: SHA256

> Should we allow them to "remove" the ds record of an active key? If we
> are
> asked to retire a key and there is no ready key to take over what we do
> now
> is set the retire time to be now, but it will not actually move until
> there
> is a key in the ready state.

I did not read the last message so closely, but shouldn't the command be about notifying that you have added the new ds and not removed the old one?

Because you want to have a chain-of-trust with the new ds. It does not matter that you have an old ds that do not have the corresponding ksk in the zone, right?

> So we could make the dead time equal to the ready time of the
> replacement
> key + max(...) + safety? Or we could throw an error.
> If "ds remove" is called on a zone with no retired key should I take
> that
> as an instruction to roll the key?

The algorithm you proposed earlier:

"now" + max(TTL of record in parent zone + estimate of propagation delay through parent zone, TTL of record in this zone + estimate of propagation delay through this zone) + safety margin

You should also have:

If "ready time" > "now" then use "ready time" in the algo above. This will happen if you say to the system that you have added the new ds before the new key is ready.

Correct me if I am wrong...

// Rickard

Version: 9.8.3 (Build 4028)
Charset: utf-8


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091105/fd81b52b/attachment.htm>

More information about the Opendnssec-develop mailing list