[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Mathieu Arnold mat at mat.cc
Wed Jul 7 09:04:51 UTC 2010

+--On 6 juillet 2010 17:39:15 +0200 Mathieu Arnold <mat at mat.cc> wrote:
| +--On 6 juillet 2010 17:31:07 +0200 Pierre Lebrech
| <pierre.lebrech at laposte.net> wrote:
|| OK, good idea. But some parent zones holders check to see if the
|| corresponding DNSKEY is present in the child zone before accepting
|| DS records. I have DLV in mind... So in this scenario, DS records can
|| not be submitted.
| Also, RIPE NCC has the same kind of prerequisites for reverse delegations.

Actually, I did remember it was more complicated than that with the RIPE
NCC, so, I send a mail to Marvin, ("he"'s always been very helpful,) and it
needs the submitted DS's key to sign the DNSKEY records in order to be
accepted :

***RDNS:    (related to ns1.absolight.net) ERROR (20 points): The
            following DS RR 42934 7 2

            is pointing to 257 3 7 (
            llMxNp5Zw+WpHjg1x2EbJAU= ) ; Key ID = 42934 (42934) Any key
            that a DS points to should sign the DNSKEY RRset

So, I'm a bit stuck, because the enforcer tells me :

Jul  7 10:56:20 ns1 ods-enforcerd: WARNING: KSK Retirement reached; please
submit the new DS for 242.143.79.in-addr.arpa and use ods-ksmutil key
ksk-roll to roll the key.

Which I can't do, because the DS can't be accepted :-)

Chicken, Egg...

Mathieu Arnold

More information about the Opendnssec-user mailing list