[Opendnssec-user] KSK rollover process

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Dec 8 08:10:44 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> We are encountering a problem with the manual KSK rollover process.
> Before initiating the rollover, we have two KSK keys: one active and
> one
> standby key in a READY state. So, everything should be ready for the
> rollover. Now, when we initiate the KSK rollover with the ods-ksmutil
> command, the following happens:


> 1. The signer generates a new standby key that enters a PUBLISHED state
> 2. The new standby KSK is added to the zone DNSKEY RRset

We do this because still want to have a standby key after this rollover.

> 3. The DNSKEY RRset is still signed with (and only with) the old active
> KSK

We use the so called "Pre-Publication Method" and not "Double-Signature Method"

> 4. The new standby KSK becomes READY after a while
> 5. Finally we have three KSKs, one active and two standby KSKs in READY
> state. The DNSKEY RRset is still signed with (and only with) the old
> active KSK.

This is also as expected. The command that you haven't given to the system is the ksk-roll.

> So, except adding a new standby KSK to the DNSKEY RRset, nothing really
> seems to happen. As far as I understand, the DNSKEY RRset should be
> signed with both the old active and old standby KSK immediately after
> giving the rollover command, because we already had a standby KSK in
> READY state before giving the rollover command? Further, the retirement
> timers of the old KSK should probably start after giving the
> "ds-seen" (or "ksk-roll") command? But, before having the double
> signatures we are unable to publish the new DS and give the "ds-seen"
> command in the first place, right?
>
> Are we perhaps missing something or is this a bug in the signer or in
> the enforcer? We are using 1.0.0rc1-trunk.

You first initiate the rollover by giving the command "ods-ksmutil key rollover --zone <Name of zone> --keytype KSK". This will start the "Pre-Publication" process. But since you have a standby key, you do not need to wait until the new key gets ready (your standby key is already ready).

You now need to publish your DS record. "ods-ksmutil key export --zone <Name of zone> --keystate ready --ds". Use the keytag from the DS record and finalize the rollover once you have seen your DS record in the parent zone. "ods-ksmutil key ksk-roll --zone <Name of zone> --keytag <Keytag>"

Only use the ksk-roll-command for the key that you intend to roll over to, because this command will retire the currently active KSK.

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSx4KA+CjgaNTdVjaAQhfWwf+P50zOQ3U/1yAwwtzk+1DCpeZfPf1Tkvh
JZZj+3zYU5ZhVrBEuNI1AedL3294M+IpFZX6dX9FNk9H0nShjFDhxuvaJdvByd19
Wkhx0DZuy54yEbreo8U4MtfCkVHTVj3sSSXAuipupzEKTqq34DmW/ngyHF/sSt0Q
I4Wm/UL3zErXgHaS2iv8oHgIEupMiSYKcbdIb7H21UDN7FSwG4pyG9k8Rfckj5qK
Y8Y7vkg8vLa6lSi39z8qGP7rgaoDZhr8UqRWdjBK22CKJvF9NFcWOm8cmekFcRHp
wIjgqrMKBl/jebGO0SZq0KIXenkAQ963GrOVNJhZktGrdyz4nrLkew==
=Qr4M
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091208/1c5991d2/attachment.htm>


More information about the Opendnssec-user mailing list