[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Jakob Schlyter jakob at kirei.se
Wed Jul 7 07:37:30 UTC 2010

On 6 jul 2010, at 22.12, Duane Wessels <dwessels at verisign.com> wrote:

> The root zone also requires the DNSKEY to be present in the child zone.
> see http://www.root-dnssec.org/wp-content/uploads/2010/05/draft-trust-anchor-procedure.pdf
>    At the time of the trust anchor request, there must be a DNSKEY
>    that matches the DS record present in the child zone.

This is not always true - if a zone wants to pre-publish a DS as part of a key rollover, it is possible to do that. One should be able to show that this introduces no harm though.

/ Jakob

More information about the Opendnssec-user mailing list