[Opendnssec-develop] KSK rollover - current plan

sion at nominet.org.uk sion at nominet.org.uk
Mon Nov 9 06:12:17 UTC 2009

Stephen and I have come up with this plan for KSK rollover. We can add
alternate schemes post version 1...

Replacement key is pre-published as before.

When we see that a key is about to retire, provided that there is one key
in the ready state issue the "submit DS" message.

Keep issuing this message until the "DS seen" command is issued.

At this time move the ready key to active, the active key to retired and
schedule the dead time of the retired key.

Rollover if standby key is ready just sets estimated retire time to now,
rollover if standby key is not ready sets estimated retire time to now, but
nothing happens until the ready time of new key... just as it does now.

DS seen command will look like:

ods-ksmutil key ds-seen --keytag <keytag>

(if keys are shared then we will ask if it has been seen in parents of all
zones that use the key [y/N] )

Then, provided that the keytag supplied matches a KSK in the ready state
then the process can continue.

I'm going to go ahead and start writing this in so can you give any
feedback ASAP please?


More information about the Opendnssec-develop mailing list