[Opendnssec-develop] Defining KSK rollover schemes

sion at nominet.org.uk sion at nominet.org.uk
Mon Feb 22 11:19:33 UTC 2010 

For v1.1 I am working on implementing the different KSK rollover schemes
defined in:
http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01

This means adding an option to kasp.xml; and I think that it will involve a
database schema change too.

So, does the following look reasonable?

Sion


Index: kasp.rnc
===================================================================
--- kasp.rnc    (revision 2857)
+++ kasp.rnc    (working copy)
@@ -89,7 +89,10 @@

                                # use RFC 5011 for key rollover?
                                # Not implemented yet
-                               element RFC5011 { empty }?
+                               element RFC5011 { empty }?,
+
+                # Define the rollover scheme to be used
+                rollover?
                        }*,

                        # Zone Signing Keys (ZSK) parameters
@@ -195,3 +198,29 @@
 propagationdelay = element PropagationDelay { xsd:duration }

 audit = element Audit { empty }
+
+rollover = element RolloverScheme {
+    # Define the rollover scheme to be used.
+
+    # The new KSK is added to the DNSKEY RRset which is then signed with
+    # both the old and new key.  After waiting for the old DNSKEY RRset to
+    # expire from caches, the DS record in the parent zone is changed.
+    # After waiting a further interval for this change to be reflected in
+    # validating resolver caches, the old key is removed from the DNSKEY
+    # RRset.
+       "DoubleDNSKey" |
+
+       # The new DS record is published.  After waiting for this
+    # change to propagate into the caches of all validating resolvers, the
+    # KSK is changed.  After a further interval during which the old
DNSKEY
+    # RRset expires from caches, the old DS record is removed.
+       "DoubleDS" |
+
+       # The new KSK is added to the DNSKEY RRset which is then signed
with
+    # both the old and new key, and the new DS record added to the parent
+    # zone.  After waiting a suitable interval for the old DS and DNSKEY
+    # RRsets to expire from validating resolver caches, the old DNSKEY and
+    # DS record are removed.
+       "DoubleRRSet"
+
+}

More information about the Opendnssec-develop mailing list