[Opendnssec-develop] Fw: [Opendnssec-user] auditor and rollover

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Mar 26 16:38:15 UTC 2010

Hash: SHA1

Alexd at nominet.org.uk wrote:
>> > Gilles is having problems because the auditor is complaining that
>> RRSIGs do not include those for the algorithm of a retired key. So,
> should :
>> >
>> > a) the auditor not complain about missing RRSIGs for algorithms
>> for which all keys in the zone have been retired (although still
>> published)? or
>> > b) the zone not include keys with algorithms for which there are no
>> RFC4035 - Section 2.2
>> ----
>> There MUST be an RRSIG for each RRset using at least one DNSKEY of
>> each algorithm in the zone apex DNSKEY RRset.
>> ----

RFC 4035 also says:

The apex DNSKEY RRset itself MUST be signed by each algorithm appearing
in the DS RRset located at the delegating parent (if any).

>> Does this mean the following?:
>>  * Rolling to a new ZSK algorithm: The prepublished ZSK must sign
>> the DNSKEY RRset until we can sign the rest of the zone with the
>> ZSK, once it is ready.

If you roll a new ZSK algorithm, you actually might need to make it a
signing, non-published key first, in order to propagate its signatures
to the cache resolvers.

I believe the DNSKEY RRset itself does not have to be signed by any of
the ZSKs, as long as it is signed with each of the algorithms signalled
by the DS RRset in the parent.

Though there was some dispute about that, one and a half year ago on the
dnsop ml (search for: [DNSOP] suggestion for 4641bis: key algorithm
rollover section).

>>  * We cannot roll both the KSK and ZSK to a new algorithm at the
>> same time (retiring them at the same time), since the old KSK
>> algorithm must sign the DNSKEY RRset until the old ZSK does not need
>> to be postpublished.

So, with that additional quote from rfc4035, I think you can roll
algorithms for KSK and ZSK independently.

> Anyone?

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-develop mailing list