[Opendnssec-develop] KSK Rollover Mechanism

sion at nominet.org.uk sion at nominet.org.uk
Tue Apr 6 15:27:25 UTC 2010

I've just noticed from the minutes of tomorrows meeting that I am charged
with documenting the KSK rollover procedure...

I think that I have updated the wiki pages where I can, but I don't think
that I have access to the wordpress pages?

Scheduled Rollover:

1) Pre publish key in zone
2) when key is ready, prompt for DS to be submitted (a message to syslog)

 - This is where the command specified in conf.xml:Configuration/Enforcer/
DelegationSignerSubmitCommand will be called.
   To use it prepare a scipt which accepts DNSKEY records on STDIN.

3) wait for DS-Seen

 - This could be scripted with something that monitors DNS and calls the
ds-seen command... We do not provide this currently.

3a) old key retired in same command (by default)
4) --no-retire passed to ds-seen; ksk-retire used later

Emergency rollover:

1) key rollover --keytype KSK issued; old key retired and marked as
2a) if there is a key in the ready state use it
2b) if there is a standby key waiting, publish it
2c) publish a new key into the zone
3) when the successor key is ready (which might involve the DS publication
/ ds-seen stuff from above) complete the rollover.

The new command "ods-ksmutil ksk-retire" takes the zone and optionally some
key identifiers as arguments. If no key identifiers are supplied then it
retires the oldest key in the zone. It will fail if there is only one
active key though.

The logic also now accounts for the first key in the zone, and does not
request the DS record to be published until the child propagation period is


More information about the Opendnssec-develop mailing list