[Opendnssec-develop] DoubleDNSKEY rollover

sion at nominet.org.uk sion at nominet.org.uk
Thu Mar 4 12:37:29 UTC 2010 

> > (The formatting is a little out; #012 == "\n" and #011 == "\t".)
> > This is where the "DS-SUBMIT" hook will go, when I write it.
> >
> > QUESTION: Is logging with a priority of INFO a good idea? People might
not
> > be looking for it.
>
> If we have the ds-submit / dnskey-submit hook, then there is no need
> for this text, right?

Correct. It would log the command called instead.

> DNSKEY is a more preferred format, because then you can use that or
> convert it into a DS. The enforcer should send all the DNSKEYs to
> the submit hook that it want to publish in the parent zone.

Do you prefer DNSKEY in the log message instead of the DS or in addition
to?

There are obviously a number of replacements that I can make, in the same
way as %zone etc. work in the NotifyCommand... I was going to suggest a
list when I moved on to that command; but I am thinking along the lines of
%dnskey, %ds, %rolloverscheme, %zone.

> > 3) When the "ods-ksmutil key ds-seen" command is sent, move the new key
to
> > active, retire the old key and set its dead time (unless a --no-retire
flag
> > is used).
>
> How will the no-retire flag work? An external program does not know
> which key to retire. It only know which DS that are available in the
> parent zone. We will be using the same command for the new KSK and
> the standby KSK.

Currently it retires the oldest active key. DS-seen with no-retire will
leave multiple keys in the active state. I'm not sure that the standby key
should have its DS submitted until we need to roll to it? Its existence
really only saves you the time it takes to propagate through the child zone
(plus safety margin).

> The EPP-client will use the ds-seen once it has successfully
> synchronized the current set of DS. Then user will then compensate
> this with setting a higher retire safety.
>
> > QUESTION: What should we do differently when the ManualRollover flag is
> > set?
>
> Do we need the ManualRollover for the KSK anymore? It is only useful
> for the ZSK. KSK-rollover will wait until you give the ds-seen.

So we could have it so that if ManualRollover is set then no keys are
prepublished or removed from the zone without a manual step. Instead we
would send log messages warning that this needs to be done.

Sion

More information about the Opendnssec-develop mailing list