[Opendnssec-user] KSK rollover

Antti Ristimäki aristima at csc.fi
Fri Dec 11 06:41:05 UTC 2009

On Thu, 2009-12-10 at 16:01 +0200, Rickard Bellgrim wrote:

> > Still worried about the KSK rollover process...
> >
> > I guess that the purpose of the "ksk-roll" command is to tell the
> > signer
> > that the new DS record is now uploaded to the parent zone and the
> > retirement of the old KSK can be started? When tested, it seems that
> > the
> > signer replaces the active KSK immediately when the enforcerd runs for
> > the
> > next time and the "ksk-roll" command has been given. I tested this by
> > giving "ksk-roll" command and then "ods-control stop && ods-control
> > start"
> > command, which presumably has the same effect as waiting for the
> > enforcerd run for the next time?
> >
> > The problem is that when giving the "ksk-roll" command, the signer
> > should
> > wait for the DS TTL before replacing the active KSK - otherwise the
> > user
> > must take care that the new DS record has been propagated to resolver
> > caches. Now the signer signs the DNSKEY RRset with the new KSK even
> > though the DS TTL has not elapsed. For users, it would be much more
> > convenient to just tell the signer that the DS record has been uploaded
> > and let the signer take care of the timings.
> Since we are so close to the release, we will continue with the current solution. But we will update the documentation, where we make it clearer on what is happening and why. Currently you must only give the ksk-roll command when you have seen the new DS out on the nameservers.
> Version 1.1 will have an option for the type of KSK rollover procedure.

The possibility to use double signature method for KSK rollovers in
version 1.1 would be nice. 

The problem with the current ksk-roll command is that it doesn't seem to
take the parent zone DS TTL into account. Thus, an administrator has to
first publish the new DS record in the parent zone and then remember to
wait for the DS TTL before issuing the ksk-roll command. In the current
solution, the following possibility exists:

1. The user initiates the rollover with ods-ksmutil key rollover...
2. The user publishes the new DS record in the parent zone
3. The user sees the new DS in the parent zone and gives the ksk-roll
command. The DNSKEY RRset is now signed with only the new KSK.
4. A validator has still the old DS in its cache and queries for the
child zone DNSKEYs. The DNSKEY RRset can't be validated with the old DS.

This problem does not exist if the user remembers to make sure that the
DS TTL has elapsed. However, it would be nice if OpenDNSSEC took care of

I'm also wondering what the meaning of the DS TTL statement in the
kasp.xml is, if it's not used by the ksk-roll?


More information about the Opendnssec-user mailing list