[Opendnssec-user] KSK rollover process

Antti Ristimäki aristima at csc.fi
Tue Dec 8 09:42:49 UTC 2009

On Tue, 2009-12-08 at 11:26 +0200, Jakob Schlyter wrote:
> On 8 dec 2009, at 10.16, Antti Ristimäki wrote:
> > I thought that Pre-Publication Method is feasible only for ZSK
> > rollovers? If we publish the new DS record in the parent zone and
> > someone queries it before we have activated the new KSK, he or she is
> > unable to validate the DNSKEY RRset as the DNSKEY RRset is still signed
> > with the old KSK but the DS points to the new KSK. Or is it assumed that
> > the parent zone supports double DS records?
> you either have two DS records in the parent zone (and then switch KSK in the child zone) or you have two KSKs in the child zone (and switch DS at the parent). OpenDNSSEC current supports that you have two KSKs in the child zone and once the DS is updated at the parent you can tell OpenDNSSEC that you want to finalize the roll.

But having two KSKs in the child zone and one DS in the parent zone
requires that the DNSKEY RRset is double signed in the child zone during
the rollover which is currently not the case. The DS record can't be
updated in the parent zone unless the new KSK is used to sign the DNSKEY

Sorry, I might be missing something :)


More information about the Opendnssec-user mailing list