[Opendnssec-user] KSK rollover process

Ville Mattila vmattila at csc.fi
Tue Dec 8 13:14:49 UTC 2009


Rickard Bellgrim wrote on Tue, 8 Dec 2009 12:09:58 +0200:

 > We are using the method where you have two DS in the parent zone. One 
pointing to the current KSK and one pointing to the new one. When the 
new one becomes active you can remove the old DS.

Ok, at least pre-publishing works.

Jakob Schlyter wrote on Tue, 8 Dec 2009 11:26:51 +0200:

 > OpenDNSSEC current supports that you have two KSKs in the child zone 
and once the DS is updated at the parent you can tell OpenDNSSEC that 
you want to finalize the roll.

Very good to hear OpenDNSSEC should support double-signing for DS/KSK 
update.  It's the preferred method for us and I think for most of other 
users, too.

Has anyone succeeded in actually using double-signing with OpenDNSSEC?

As Antti described earlier, we've observed OpenDNSSEC never actually 
adds the double signature: the only DNSKEY RRSIG ever appearing in zone 
is the one generated with the old KSK. (This effectively prevents 
replacing DS in parent because we cannot control when exactly it will 
take place wrt our own zone updates.)

I wasn't able to find an option to set in kasp.xml to choose whether 
double-signing or pre-publishing should be used.  Is there one?

We're running 1.0.0rc1-trunk.


Ville Mattila

More information about the Opendnssec-user mailing list