[Opendnssec-develop] KSK rollover - current plan

sion at nominet.org.uk sion at nominet.org.uk
Thu Nov 12 00:53:48 UTC 2009

> Both the manual and automatic KSK rollover requires the DS command.
> The only difference when you have <ManualRollover /> is that the
> user must give the "key rollover" command and then the DS command.

not _must_; it makes no real difference.

> The introduction of the DS command will do the same action as the
> <ManualRollover /> for the KSK. When we introduce the need for the
> DS command, then the rollover process will stop at the same point as
> when we have the <ManualRollover /> in the policy of the KSK. Right?


> The <ManualRollover /> tag is still useful if you e.g. want to roll
> the ZSK the first of each month by using a cronjob. But the question
> is if <ManualRollover /> is useful anymore for the KSK?
> Scenario:
> The rollover is initiated today, but we were not able to give the DS
> command until one week later. We still want the rollover to happen
> on the same date next year, and not shifted one week.
> Expected result:
> The rollover date will be one week later next year, because our
> policy said that a key is valid one year.
> Scenario next year:
> If we only use the DS command, then the rollover will be completed
> one week late.
> But if we first give the "key rollover" command on the expected
> date. Then we are able to complete the rollover with the DS command
> on the expected date.
> So my question:
> Can you safely give the "key rollover" command even though
> OpenDNSSEC has automatically initiated the rollover? Or is this the
> case when you should have the <ManualRollover /> for the KSK, so
> that you won't get a double rollover?

Up to the point at which you issue "ds-seen" then no key states will
change, so the rollover command will apply to the current active key.
_After_ you issue the ds-seen then keystates will change at some point in
the future determined by your policy.

I would have to think a bit more about what _will_ happen if a rollover is
issued at this time, and what _should_ happen.

> Another question:
> Shouldn't it be possible to give the DS command even though the key
> is only published and not ready? OpenDNSSEC gets the notification
> from the user, but will wait until it is ready and then complete the
> rollover process.

Yes, I believe that this will work, it will schedule the event for some
time in the future like:

max(expected ready time, parent propagation etc)


More information about the Opendnssec-develop mailing list