[Opendnssec-develop] DoubleDNSKEY rollover

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Mar 4 13:22:17 UTC 2010

> Currently it retires the oldest active key. DS-seen with no-retire will
> leave multiple keys in the active state. I'm not sure that the standby key
> should have its DS submitted until we need to roll to it? Its existence
> really only saves you the time it takes to propagate through the child zone
> (plus safety margin).

My vision is that the rolling of keys are separated from the ds-seen command. The ds-seen command will only mark a key as seen in the parent zone. The enforcer will then by it self determine if it can roll the key, but only if the key has been marked.

You can thus mark multiple keys, without enforcing a rollover.

Will you not save time by publishing the DS record of the standby key?

>> Do we need the ManualRollover for the KSK anymore? It is only useful
>> for the ZSK. KSK-rollover will wait until you give the ds-seen.
> So we could have it so that if ManualRollover is set then no keys are
> prepublished or removed from the zone without a manual step. Instead we
> would send log messages warning that this needs to be done.

OpenDNSSEC is a powerful tool, but I think we should keep it as simple as possible. Is there any use case where you want to manually enforce the prepublishing and the removal of the key?

There could be arguments that you do not want people to know the public key before I decide to roll the key. But will that do any harm?

The ManualRollover was a solution because we did not have the "ds-seen". It is still useful, but only the case of the ZSK. Where you e.g. can use "key rollover" in cron to have fixed rollover date.

Or what will happen if you give "key rollover" for KSK if it is waiting for the "ds-seen"? In the case where you want a fixed rollover date for the KSK?

// Rickard

More information about the Opendnssec-develop mailing list