[Opendnssec-user] KSK rollover process
jakob at kirei.se
Tue Dec 8 09:26:51 UTC 2009
On 8 dec 2009, at 10.16, Antti Ristimäki wrote:
> I thought that Pre-Publication Method is feasible only for ZSK
> rollovers? If we publish the new DS record in the parent zone and
> someone queries it before we have activated the new KSK, he or she is
> unable to validate the DNSKEY RRset as the DNSKEY RRset is still signed
> with the old KSK but the DS points to the new KSK. Or is it assumed that
> the parent zone supports double DS records?
you either have two DS records in the parent zone (and then switch KSK in the child zone) or you have two KSKs in the child zone (and switch DS at the parent). OpenDNSSEC current supports that you have two KSKs in the child zone and once the DS is updated at the parent you can tell OpenDNSSEC that you want to finalize the roll.
More information about the Opendnssec-user