[Opendnssec-develop] KSK rollover - current plan

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Nov 9 09:49:48 UTC 2009

Hash: SHA256

> Stephen and I have come up with this plan for KSK rollover. We can add
> alternate schemes post version 1...
> Replacement key is pre-published as before.
> When we see that a key is about to retire, provided that there is one
> key
> in the ready state issue the "submit DS" message.
> Keep issuing this message until the "DS seen" command is issued.
> At this time move the ready key to active, the active key to retired
> and
> schedule the dead time of the retired key.
> Rollover if standby key is ready just sets estimated retire time to
> now,
> rollover if standby key is not ready sets estimated retire time to now,
> but
> nothing happens until the ready time of new key... just as it does now.

Algorithm looks ok.

> DS seen command will look like:
> ods-ksmutil key ds-seen --keytag <keytag>
> (if keys are shared then we will ask if it has been seen in parents of
> all
> zones that use the key [y/N] )
> Then, provided that the keytag supplied matches a KSK in the ready
> state
> then the process can continue.
> I'm going to go ahead and start writing this in so can you give any
> feedback ASAP please?

Do you need to use the keytag? Won't the system know which keys we are talking about when using either --zone or --policy?

If we must use the keytag, can we handle keytag collisions?

// Rickard

Version: 9.8.3 (Build 4028)
Charset: utf-8


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091109/6fd48180/attachment.htm>

More information about the Opendnssec-develop mailing list