[Opendnssec-develop] Fw: [Opendnssec-user] auditor and rollover

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Mar 25 01:47:05 UTC 2010

> Gilles is having problems because the auditor is complaining that RRSIGs do not include those for the algorithm of a retired key. So, should : 
> a) the auditor not complain about missing RRSIGs for algorithms for which all keys in the zone have been retired (although still published)? or 
> b) the zone not include keys with algorithms for which there are no RRSIGs? 

RFC4035 - Section 2.2
There MUST be an RRSIG for each RRset using at least one DNSKEY of each algorithm in the zone apex DNSKEY RRset.

Does this mean the following?:

 * Rolling to a new ZSK algorithm: The prepublished ZSK must sign the DNSKEY RRset until we can sign the rest of the zone with the ZSK, once it is ready.

 * We cannot roll both the KSK and ZSK to a new algorithm at the same time (retiring them at the same time), since the old KSK algorithm must sign the DNSKEY RRset until the old ZSK does not need to be postpublished.

// Rickard

More information about the Opendnssec-develop mailing list