[Opendnssec-user] Version 1.1.0 and KSK rollover logic
Sion Lloyd
sion at nominet.org.uk
Tue Jul 6 12:52:58 UTC 2010
> I have 3 test zones and each has an active KSK and a dsready KSK.
> dsready KSK is labelled "When required". If I look in the zonefile, I
> cannot see this DNSKEY. The only KSK I can find is the active one.
>
> What this dsready state should mean? In ODS 1.0, this state didn't
> exist. Before the ready state, there was a published state.
The key in the DSREADY state is the standby key. It has had its DS record
submitted to the parent but is not being published in the zone yet. It will
not be published until it is going to be used.
The idea is that if the key is needed in an emergency the shortest timescale
that it can be used in is the publication through the child system. (It is
imagined that dealing with the parent zone is the slower of the two.)
Sion
More information about the Opendnssec-user
mailing list