[Opendnssec-develop] DoubleDNSKEY rollover

sion at nominet.org.uk sion at nominet.org.uk
Thu Mar 4 10:42:59 UTC 2010

I'm just running tests on DoubleDNSKEY rollovers now. Sorry it's taken a
bit longer than I thought, we changed the timings on Friday. (The good news
is that we have managed to avoid the extra states for the key so far.)

The whole thing now looks like:

1) Pre-publish KSK so that it will enter the ready state before the
expected end-of-life of the previous key.

2) When it enters the ready state send the following to the log:

Mar  4 10:09:47 sion ods-enforcerd: INFO: Please swap the DS record in the
parent of zone sion for the following, #012;KSK DS record
(SHA1):#012sion.#0113600#011IN#011DS#01133936 7 1
2df0432924e9d551be1d5cc2b569763822e4bb9a ;
 DS record (SHA256):#012sion.#0113600#011IN#011DS#01133936 7 2
e21e207392b2918bf688dcd392fe670f5ad6ea1fe6e14865c089793845792a52 ;
Mar  4 10:09:47 sion ods-enforcerd: INFO: Once the new DS records are seen
in DNS please issue the ds-seen command for zone sion with the following
cka_ids, 48e00948d5b67116ee115df7414380e5

(The formatting is a little out; #012 == "\n" and #011 == "\t".)
This is where the "DS-SUBMIT" hook will go, when I write it.

QUESTION: Is logging with a priority of INFO a good idea? People might not
be looking for it.

3) When the "ods-ksmutil key ds-seen" command is sent, move the new key to
active, retire the old key and set its dead time (unless a --no-retire flag
is used).

QUESTION: What should we do differently when the ManualRollover flag is

Rinse and repeat...

I need to test with standby keys and see what happens when we perform
unscheduled rollovers. Then DoubleDS should follow quite quickly.

Is this looking okay? It conforms (as far as I can tell) to the next draft
of the timing paper.


More information about the Opendnssec-develop mailing list