[Opendnssec-develop] DoubleDNSKEY rollover

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Mar 4 12:18:19 UTC 2010

> (The formatting is a little out; #012 == "\n" and #011 == "\t".)
> This is where the "DS-SUBMIT" hook will go, when I write it.
> QUESTION: Is logging with a priority of INFO a good idea? People might not
> be looking for it.

If we have the ds-submit / dnskey-submit hook, then there is no need for this text, right?

DNSKEY is a more preferred format, because then you can use that or convert it into a DS. The enforcer should send all the DNSKEYs to the submit hook that it want to publish in the parent zone.

> 3) When the "ods-ksmutil key ds-seen" command is sent, move the new key to
> active, retire the old key and set its dead time (unless a --no-retire flag
> is used).

How will the no-retire flag work? An external program does not know which key to retire. It only know which DS that are available in the parent zone. We will be using the same command for the new KSK and the standby KSK.

The EPP-client will use the ds-seen once it has successfully synchronized the current set of DS. Then user will then compensate this with setting a higher retire safety.

> QUESTION: What should we do differently when the ManualRollover flag is
> set?

Do we need the ManualRollover for the KSK anymore? It is only useful for the ZSK. KSK-rollover will wait until you give the ds-seen.

// Rickard

More information about the Opendnssec-develop mailing list