[Opendnssec-develop] Overlapping KSKs

sion at nominet.org.uk sion at nominet.org.uk
Thu Sep 3 08:30:52 UTC 2009


>From item 8 of http://trac.opendnssec.org/wiki/Meetings/Minutes/2009-08-27
I see that overlapping KSKs is still up for discussion.

I was going to move on to this as my next piece of work so I'll kick off
the discussion...

The KSK is used as soon as it is published in the zone (event 2 in figure 5
of the timing draft), the ready time signifies when we believe that the
DNSKEY and or DS records have propagated. The key becomes "active" when its
predecessor is retired, so really "active" means "the next key to retire"
for KSKs.

This means that we already have overlapping keys, but they are not both
marked as "active", one is marked as "ready". A lifetime of 1 year means
that a key will be in the "ready" state for about a year (while its
predecessor is active), and active for 1 year; unless an emergency rollover
is performed.

Does this work for .se? Or, do we need some new logic to mark 2 keys as

Then we have a question about rollovers. If the rollover is an emergency
one do we have to assume that all keys on that HSM are compromised? Do we
need to think about standby keys (ones on the same hsm, waiting for
scheduled rollovers) and emergency keys (stored on a separate hsm) as
separate entities?


More information about the Opendnssec-develop mailing list