[Opendnssec-user] KSK rollover process
vmattila at csc.fi
Tue Dec 8 13:14:49 UTC 2009
Rickard Bellgrim wrote on Tue, 8 Dec 2009 12:09:58 +0200:
> We are using the method where you have two DS in the parent zone. One
pointing to the current KSK and one pointing to the new one. When the
new one becomes active you can remove the old DS.
Ok, at least pre-publishing works.
Jakob Schlyter wrote on Tue, 8 Dec 2009 11:26:51 +0200:
> OpenDNSSEC current supports that you have two KSKs in the child zone
and once the DS is updated at the parent you can tell OpenDNSSEC that
you want to finalize the roll.
Very good to hear OpenDNSSEC should support double-signing for DS/KSK
update. It's the preferred method for us and I think for most of other
Has anyone succeeded in actually using double-signing with OpenDNSSEC?
As Antti described earlier, we've observed OpenDNSSEC never actually
adds the double signature: the only DNSKEY RRSIG ever appearing in zone
is the one generated with the old KSK. (This effectively prevents
replacing DS in parent because we cannot control when exactly it will
take place wrt our own zone updates.)
I wasn't able to find an option to set in kasp.xml to choose whether
double-signing or pre-publishing should be used. Is there one?
We're running 1.0.0rc1-trunk.
More information about the Opendnssec-user