[Opendnssec-user] KSK rollover process

Antti Ristimäki aristima at csc.fi
Tue Dec 8 06:59:39 UTC 2009

Hi folks,

We are encountering a problem with the manual KSK rollover process.
Before initiating the rollover, we have two KSK keys: one active and one
standby key in a READY state. So, everything should be ready for the
rollover. Now, when we initiate the KSK rollover with the ods-ksmutil
command, the following happens:

1. The signer generates a new standby key that enters a PUBLISHED state
2. The new standby KSK is added to the zone DNSKEY RRset
3. The DNSKEY RRset is still signed with (and only with) the old active
4. The new standby KSK becomes READY after a while
5. Finally we have three KSKs, one active and two standby KSKs in READY
state. The DNSKEY RRset is still signed with (and only with) the old
active KSK.

So, except adding a new standby KSK to the DNSKEY RRset, nothing really
seems to happen. As far as I understand, the DNSKEY RRset should be
signed with both the old active and old standby KSK immediately after
giving the rollover command, because we already had a standby KSK in
READY state before giving the rollover command? Further, the retirement
timers of the old KSK should probably start after giving the
"ds-seen" (or "ksk-roll") command? But, before having the double
signatures we are unable to publish the new DS and give the "ds-seen"
command in the first place, right?

Are we perhaps missing something or is this a bug in the signer or in
the enforcer? We are using 1.0.0rc1-trunk.



More information about the Opendnssec-user mailing list