[Opendnssec-user] KSK rollover

Antti Ristimäki aristima at csc.fi
Wed Dec 9 16:59:35 UTC 2009


Still worried about the KSK rollover process...

I guess that the purpose of the "ksk-roll" command is to tell the signer 
that the new DS record is now uploaded to the parent zone and the 
retirement of the old KSK can be started? When tested, it seems that the 
signer replaces the active KSK immediately when the enforcerd runs for the 
next time and the "ksk-roll" command has been given. I tested this by 
giving "ksk-roll" command and then "ods-control stop && ods-control start" 
command, which presumably has the same effect as waiting for the 
enforcerd run for the next time?

The problem is that when giving the "ksk-roll" command, the signer should 
wait for the DS TTL before replacing the active KSK - otherwise the user 
must take care that the new DS record has been propagated to resolver 
caches. Now the signer signs the DNSKEY RRset with the new KSK even 
though the DS TTL has not elapsed. For users, it would be much more 
convenient to just tell the signer that the DS record has been uploaded 
and let the signer take care of the timings.



More information about the Opendnssec-user mailing list