[Opendnssec-develop] Finally... KSK rollover

sion at nominet.org.uk sion at nominet.org.uk
Tue Mar 16 11:50:50 UTC 2010

I am about to check in the KSK rollover code. In this first iteration there
is only one scheme (DoubleDNSKEY) and there is no setting to change this.

The process is slightly different to how it appears in the documentation,
it now looks something like:

Scheduled Rollover:

1) Pre publish key in zone
2) when key is ready, prompt for DS to be submitted (currently a message to
3) wait for DS-Seen
3a) old key retired in same command (--retire-current)
4) ksk-retire used later

Emergency rollover:

1) key rollover --keytype KSK issued; old key retired and marked as
2a) if there is a key in the ready state use it
2b) if there is a standby key waiting, publish it
2c) publish a new key into the zone
3) when the successor key is ready (which might involve the DS publication
/ ds-seen stuff from above) complete the rollover.

The new command "ods-ksmutil ksk-retire" takes the zone and optionally some
key identifiers as arguments. If no key identifiers are supplied then it
retires the oldest key in the zone. It will fail if there is only one
active key though.

The logic also now accounts for the first key in the zone, and does not
request the DS record to be published until the child propagation period is

I'll update the wiki documentation to reflect these changes.

Ther are two slight issues:
1) until the first key is active the impending rollover warning throws an
error, this will probably only be seen with the very short timescales of
test environments though.

2) Doing a key rollover with no standbykey ready produces a spurious error
message "0 ksks available in 'generate' state (need 1)".

I'll fix these soon, but wanted to get this code in so that people can
begin checking the logic. I also need to add all of the new keystates (for
standby keys) into key list etc...


More information about the Opendnssec-develop mailing list