[Opendnssec-develop] KSK rollover - current plan

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Nov 9 09:49:48 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> Stephen and I have come up with this plan for KSK rollover. We can add
> alternate schemes post version 1...
>
>
> Replacement key is pre-published as before.
>
> When we see that a key is about to retire, provided that there is one
> key
> in the ready state issue the "submit DS" message.
>
> Keep issuing this message until the "DS seen" command is issued.
>
> At this time move the ready key to active, the active key to retired
> and
> schedule the dead time of the retired key.
>
>
> Rollover if standby key is ready just sets estimated retire time to
> now,
> rollover if standby key is not ready sets estimated retire time to now,
> but
> nothing happens until the ready time of new key... just as it does now.

Algorithm looks ok.

> DS seen command will look like:
>
> ods-ksmutil key ds-seen --keytag <keytag>
>
> (if keys are shared then we will ask if it has been seen in parents of
> all
> zones that use the key [y/N] )
>
> Then, provided that the keytag supplied matches a KSK in the ready
> state
> then the process can continue.
>
>
> I'm going to go ahead and start writing this in so can you give any
> feedback ASAP please?

Do you need to use the keytag? Won't the system know which keys we are talking about when using either --zone or --policy?

If we must use the keytag, can we handle keytag collisions?

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSvflvOCjgaNTdVjaAQjzzAf/X7vZHXxfwj8r4x084VCFvcr2755gjeH7
YwNni2sHAm7xqKIdUZPA5dTq8I387w3JC+phy5ltEx5Nf/fgXxTiCbS83Jq9TrQp
Z+vIPH+1Z1BxKI41vl0Ah4EM7Ayl6hn2jc9nbazWw3eAqaEEYQPNLiArXQOK92Ti
8nFSNIM00Jh2N4GgdGRkOETauCVXHN5xvvjTqqJPrJt62rfR/sbrTWpXVTk9qWF7
khGBi392osfeRDMrCTU6QnP20J3fvnebW2Wp6QcVhwt4u3W8PIKm8RIooKsH/b0g
sfagMLbAZqF/gDmUVmwa73MtLin71Xv0IkuUCxnO0I1rQje2r9YPSw==
=rZkv
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091109/6fd48180/attachment.htm>


More information about the Opendnssec-develop mailing list