[Opendnssec-develop] KSK rollover - current plan

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Nov 10 09:27:12 UTC 2009

Hash: SHA256

> One extra question about this new scheme.
> Should there be any difference in behaviour between KSK rollovers if
> the
> policy is marked with the <ManualRollover /> tag?

Both the manual and automatic KSK rollover requires the DS command. The only difference when you have <ManualRollover /> is that the user must give the "key rollover" command and then the DS command.

The introduction of the DS command will do the same action as the <ManualRollover /> for the KSK. When we introduce the need for the DS command, then the rollover process will stop at the same point as when we have the <ManualRollover /> in the policy of the KSK. Right?

The <ManualRollover /> tag is still useful if you e.g. want to roll the ZSK the first of each month by using a cronjob. But the question is if <ManualRollover /> is useful anymore for the KSK?

The rollover is initiated today, but we were not able to give the DS command until one week later. We still want the rollover to happen on the same date next year, and not shifted one week.

Expected result:
The rollover date will be one week later next year, because our policy said that a key is valid one year.

Scenario next year:
If we only use the DS command, then the rollover will be completed one week late.
But if we first give the "key rollover" command on the expected date. Then we are able to complete the rollover with the DS command on the expected date.

So my question:
Can you safely give the "key rollover" command even though OpenDNSSEC has automatically initiated the rollover? Or is this the case when you should have the <ManualRollover /> for the KSK, so that you won't get a double rollover?

Another question:
Shouldn't it be possible to give the DS command even though the key is only published and not ready? OpenDNSSEC gets the notification from the user, but will wait until it is ready and then complete the rollover process.

// Rickard

Version: 9.8.3 (Build 4028)
Charset: utf-8


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091110/0440bc3d/attachment.htm>

More information about the Opendnssec-develop mailing list