[Opendnssec-develop] DoubleDNSKEY rollover

sion at nominet.org.uk sion at nominet.org.uk
Thu Mar 4 14:22:49 UTC 2010

> > Currently it retires the oldest active key. DS-seen with no-retire will
> > leave multiple keys in the active state. I'm not sure that the standby
> > should have its DS submitted until we need to roll to it? Its existence
> > really only saves you the time it takes to propagate through the child
> > (plus safety margin).
> My vision is that the rolling of keys are separated from the ds-seen
> command. The ds-seen command will only mark a key as seen in the
> parent zone. The enforcer will then by it self determine if it can
> roll the key, but only if the key has been marked.
> You can thus mark multiple keys, without enforcing a rollover.

Okay, what I'll do straight away then is I'll reverse the logic so that you
need to supply a --retire flag or the old key will be left active.

> Will you not save time by publishing the DS record of the standby key?

Yes, but then you will have multiple active keys rather than a standby
key... I'm not sure if that is what users would expect?

> >> Do we need the ManualRollover for the KSK anymore? It is only useful
> >> for the ZSK. KSK-rollover will wait until you give the ds-seen.
> >
> > So we could have it so that if ManualRollover is set then no keys are
> > prepublished or removed from the zone without a manual step. Instead we
> > would send log messages warning that this needs to be done.
> OpenDNSSEC is a powerful tool, but I think we should keep it as
> simple as possible. Is there any use case where you want to manually
> enforce the prepublishing and the removal of the key?
> There could be arguments that you do not want people to know the
> public key before I decide to roll the key. But will that do any harm?
> The ManualRollover was a solution because we did not have the "ds-
> seen". It is still useful, but only the case of the ZSK. Where you
> e.g. can use "key rollover" in cron to have fixed rollover date.
> Or what will happen if you give "key rollover" for KSK if it is
> waiting for the "ds-seen"? In the case where you want a fixed
> rollover date for the KSK?

My plan was to repeat the:

Mar  4 10:09:47 sion ods-enforcerd: INFO: Once the new DS records are seen
in DNS please issue the ds-seen command for zone sion with the following
cka_ids, 48e00948d5b67116ee115df7414380e5

log message until it is seen.

Issuing a "key rollover" command just says "mark the currently active key
as unsafe and schedule its replacement ASAP".

Given that for a KSK there is always some "manual" step involved, even if
that is farmed out to an automatic process, there seems little that is
gained... The one thing that can happen is that a new KSK will enter your
zone without your explicit permission.

I think that all of this becomes moot when I implement
http://www.pivotaltracker.com/story/show/1967265 as then the user can do
what they like with keys (within reason). Then you can just use longer
lifetimes then you really want and force keys according to your own
schedule, losing most of that libksm goodness :(

So for now I will ignore the ManualRollover flag when it comes to KSKs,
unless anyone objects.


More information about the Opendnssec-develop mailing list