[Opendnssec-develop] DoubleDNSKEY rollover

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Mar 4 14:38:56 UTC 2010

On 4 mar 2010, at 15.22, <sion at nominet.org.uk> <sion at nominet.org.uk> wrote:

>> My vision is that the rolling of keys are separated from the ds-seen
>> command. The ds-seen command will only mark a key as seen in the
>> parent zone. The enforcer will then by it self determine if it can
>> roll the key, but only if the key has been marked.
>> You can thus mark multiple keys, without enforcing a rollover.
> Okay, what I'll do straight away then is I'll reverse the logic so that you
> need to supply a --retire flag or the old key will be left active.
>> Will you not save time by publishing the DS record of the standby key?
> Yes, but then you will have multiple active keys rather than a standby
> key... I'm not sure if that is what users would expect?

Isn't ok to have a DS record for a KSK that is not active, only pre-published? Isn't that the purpose of the standby key. Just so that you can roll at once, in case of emergency.

More information about the Opendnssec-develop mailing list