[Opendnssec-user] KSK rollover process

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Dec 8 10:09:58 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> But having two KSKs in the child zone and one DS in the parent zone
> requires that the DNSKEY RRset is double signed in the child zone
> during
> the rollover which is currently not the case. The DS record can't be
> updated in the parent zone unless the new KSK is used to sign the
> DNSKEY
> RRset.

We are using the method where you have two DS in the parent zone. One pointing to the current KSK and one pointing to the new one. When the new one becomes active you can remove the old DS.

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSx4l9uCjgaNTdVjaAQgjAwf/XUEQzVR++a0pZRjwmMvrlrmf72zY0QNr
Hsccry5bdFbXYT9rSARd0EKDCnKj6vtpNcovruD3a4UnrYlH1exjUJYTBVAFTHLA
2s3S8/KGuCY7sX4crXTVRoAf1wZcE8CVTjOnhbxpYP/aHft3RFb7kAuFonmFxEb4
wxOO988T4YTDaWZWziX2l/8m1efCnyYpppztDnDXztt9XDXZVr7WlBCpQdzaiVuD
wPgaAN4XcsMNIQBGomEa4JTIhbw+8Pp/zFKPi20+5aSnkbAVl97p0lkKPzsfRJfT
3HwsMECACJFTbFKB0fz0t2+pFJqvV31p/vpGtHoVWqpIszE/zMQa4A==
=Kbe8
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091208/94d5b9a8/attachment.htm>


More information about the Opendnssec-user mailing list