[Opendnssec-user] KSK rollover

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Dec 10 14:01:39 UTC 2009

Hash: SHA256

> Hi,
> Still worried about the KSK rollover process...
> I guess that the purpose of the "ksk-roll" command is to tell the
> signer
> that the new DS record is now uploaded to the parent zone and the
> retirement of the old KSK can be started? When tested, it seems that
> the
> signer replaces the active KSK immediately when the enforcerd runs for
> the
> next time and the "ksk-roll" command has been given. I tested this by
> giving "ksk-roll" command and then "ods-control stop && ods-control
> start"
> command, which presumably has the same effect as waiting for the
> enforcerd run for the next time?
> The problem is that when giving the "ksk-roll" command, the signer
> should
> wait for the DS TTL before replacing the active KSK - otherwise the
> user
> must take care that the new DS record has been propagated to resolver
> caches. Now the signer signs the DNSKEY RRset with the new KSK even
> though the DS TTL has not elapsed. For users, it would be much more
> convenient to just tell the signer that the DS record has been uploaded
> and let the signer take care of the timings.

Since we are so close to the release, we will continue with the current solution. But we will update the documentation, where we make it clearer on what is happening and why. Currently you must only give the ksk-roll command when you have seen the new DS out on the nameservers.

Version 1.1 will have an option for the type of KSK rollover procedure.

// Rickard

Version: 9.8.3 (Build 4028)
Charset: utf-8


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20091210/821a6e80/attachment.htm>

More information about the Opendnssec-user mailing list