[Opendnssec-develop] Standby keys

Sion Lloyd sion at nominet.org.uk
Wed Jul 7 07:41:54 UTC 2010

On Wednesday 07 Jul 2010 8:12:13 am Rickard Bellgrim wrote:
> On 6 jul 2010, at 17.31, Pierre Lebrech wrote:
> > OK, good idea. But some parent zones holders check to see if the
> > corresponding DNSKEY is present in the child zone before accepting
> > DS records. I have DLV in mind... So in this scenario, DS records can
> > not be submitted
> This is also true for our own registrar, .SE Direkt. Mostly because it is
> used as a usability feature. The webpage pulls the DNSKEYs from the name
> server and present them for the user, which get the possibility to mark
> them as DS RR.
> Checks like this is then probably only done once, which does not prevent
> you from removing the DNSKEY from your zone but still having the DS
> present at the parent. So the current workaround for checks like that is
> to extract the public key using "ods-hsmutil". Add it to the unsigned
> zone. Resign the zone. Publish new DS. Remove the DNSKEY from the unsigned
> zone.
> .SE also have one extra DS (currently only in our DPS) which points to a
> key that we can rollover to in case of an emergency. This key is something
> that we generated and store outside OpenDNSSEC, so that we are independent
> of what system we can use.

This is nasty. So it looks like we have some work to do on standby keys, or at 
least standby KSKs.

2 things that we need to add (to do standby keys properly):

Configure the HSM.


Configure if the parent allows DS without DNSKEY.


Switch back to a "one size fits all" solution where the standby KSK is in the 
zone (and used to sign?) but does not have a DS submitted until needed?


More information about the Opendnssec-develop mailing list