[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Rickard Bellgrim rickard.bellgrim at iis.se
Wed Jul 7 07:12:13 UTC 2010

On 6 jul 2010, at 17.31, Pierre Lebrech wrote:

> OK, good idea. But some parent zones holders check to see if the
> corresponding DNSKEY is present in the child zone before accepting
> DS records. I have DLV in mind... So in this scenario, DS records can
> not be submitted

This is also true for our own registrar, .SE Direkt. Mostly because it is used as a usability feature. The webpage pulls the DNSKEYs from the name server and present them for the user, which get the possibility to mark them as DS RR.

Checks like this is then probably only done once, which does not prevent you from removing the DNSKEY from your zone but still having the DS present at the parent. So the current workaround for checks like that is to extract the public key using "ods-hsmutil". Add it to the unsigned zone. Resign the zone. Publish new DS. Remove the DNSKEY from the unsigned zone.

.SE also have one extra DS (currently only in our DPS) which points to a key that we can rollover to in case of an emergency. This key is something that we generated and store outside OpenDNSSEC, so that we are independent of what system we can use.

// Rickard

More information about the Opendnssec-user mailing list