[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Duane Wessels dwessels at verisign.com
Tue Jul 6 20:12:53 UTC 2010

On Jul 6, 2010, at 1:04 PM, Tim Verhoeven wrote:

> So this needs to be configurable behavior. Does anyone know what the
> policy on this is by the root zone ?

The root zone also requires the DNSKEY to be present in the child zone.

see http://www.root-dnssec.org/wp-content/uploads/2010/05/draft-trust-anchor-procedure.pdf

    At the time of the trust anchor request, there must be a DNSKEY
    that matches the DS record present in the child zone. 


More information about the Opendnssec-user mailing list