[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Pierre Lebrech pierre.lebrech at laposte.net
Tue Jul 6 12:38:42 UTC 2010


I have the same "problem" than Antti :

I have 3 test zones and each has an active KSK and a dsready KSK.
dsready KSK is labelled "When required". If I look in the zonefile, I
cannot see this DNSKEY. The only KSK I can find is the active one.

What this dsready state should mean? In ODS 1.0, this state didn't
exist. Before the ready state, there was a published state.


On Mon, May 31, 2010 at 01:40:49PM +0300, Antti Ristimäki wrote:
> Hi,
> On Fri, 2010-05-28 at 13:02 +0300, Antti Ristimäki wrote:
> > On Fri, 2010-05-28 at 11:34 +0300, Sion Lloyd wrote
> > > We have 2 situations to consider, "emergency" rollover and scheduled rollover.
> > > 
> > > The standby key is not used for scheduled rollover, a new key will be pre-
> > > published for that.
> > > 
> > > The standby key will come into use if a rollover command is issued out-of-
> > > sequence. The thinking here is that the submission of the DS to the parent is 
> > > likely to be the slower step in the process, so we can get this out of the way 
> > > early on before we need to act fast.
> > 
> > OK, this is probably a good idea. But is the scheduled rollover now
> > meant to be initiated only automatically or how does ods-enforcer
> > differentiate a scheduled rollover from an emergency one, if they are
> > both initiated with the same "ods-ksmutil key rollover..." command?
> > 
> > In my case, "ods-ksmutil key rollover -z <zone> --keytype KSK" seems to
> > introduce a new KSK in the DNSKEY RRset rather than using the standby
> > KSK. However, this may be due to the fact that my standby KSK is still
> > in "dspublish" state...I guess the standby KSK will enter "dsready" or
> > similar after the standby DS has propagated to caches?
> It seems that if your standby KSK is in "DSREADY" state and you type
> "ods-ksmutil key rollover -z <zone> --keytype KSK", OpenDNSSEC starts
> signing the DNSKEY RRset with the standby KSK, in addition to the active
> KSK, as expected. However, the standby KSK doesn't appear in the DNSKEY
> RRset immediately, which I find weird. That is, the DNSKEY RRset is
> signed with a KSK that is not even present in the zone DNSKEY RRset!?
> With regards to my previous mail, it would be very nice indeed to be
> able to trigger the "normal" (i.e. non-emergency) rollover manually, for
> example for testing purposes etc. Now it doesn't seem to be possible.
> Regards,
> Antti
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user


Pierre Lebrech

More information about the Opendnssec-user mailing list