[Opendnssec-user] KSK rollover process

Antti Ristimäki aristima at csc.fi
Tue Dec 8 09:16:03 UTC 2009

Thanks for your response,

On Tue, 2009-12-08 at 10:10 +0200, Rickard Bellgrim wrote:
> > 1. The signer generates a new standby key that enters a PUBLISHED state
> > 2. The new standby KSK is added to the zone DNSKEY RRset
> We do this because still want to have a standby key after this rollover.

Correct, this is a desired behaviour in our opinion, too.

> > 3. The DNSKEY RRset is still signed with (and only with) the old active
> > KSK
> We use the so called "Pre-Publication Method" and not "Double-Signature Method"

I thought that Pre-Publication Method is feasible only for ZSK
rollovers? If we publish the new DS record in the parent zone and
someone queries it before we have activated the new KSK, he or she is
unable to validate the DNSKEY RRset as the DNSKEY RRset is still signed
with the old KSK but the DS points to the new KSK. Or is it assumed that
the parent zone supports double DS records?


More information about the Opendnssec-user mailing list