[Opendnssec-user] KSK rollover process

Antti Ristimäki aristima at csc.fi
Tue Dec 8 10:35:14 UTC 2009

On Tue, 2009-12-08 at 12:09 +0200, Rickard Bellgrim wrote:
> > But having two KSKs in the child zone and one DS in the parent zone
> > requires that the DNSKEY RRset is double signed in the child zone
> > during
> > the rollover which is currently not the case. The DS record can't be
> > updated in the parent zone unless the new KSK is used to sign the
> > RRset.
> We are using the method where you have two DS in the parent zone. One pointing to the current KSK and one pointing to the new one. When the new one becomes active you can remove the old DS.

But this mechanism requires more parental work and could be problematic
especially for TLD operators. Even though double DS records were
supported in the root zone (I don't know whether they will be supported
or not), not many TLD operators would like to update the root zone twice
during the KSK rollover, I think.


More information about the Opendnssec-user mailing list