[Opendnssec-user] KSK rollover
aristima at csc.fi
Wed Dec 9 16:59:35 UTC 2009
Still worried about the KSK rollover process...
I guess that the purpose of the "ksk-roll" command is to tell the signer
that the new DS record is now uploaded to the parent zone and the
retirement of the old KSK can be started? When tested, it seems that the
signer replaces the active KSK immediately when the enforcerd runs for the
next time and the "ksk-roll" command has been given. I tested this by
giving "ksk-roll" command and then "ods-control stop && ods-control start"
command, which presumably has the same effect as waiting for the
enforcerd run for the next time?
The problem is that when giving the "ksk-roll" command, the signer should
wait for the DS TTL before replacing the active KSK - otherwise the user
must take care that the new DS record has been propagated to resolver
caches. Now the signer signs the DNSKEY RRset with the new KSK even
though the DS TTL has not elapsed. For users, it would be much more
convenient to just tell the signer that the DS record has been uploaded
and let the signer take care of the timings.
More information about the Opendnssec-user