[Opendnssec-user] Why do we need standby keys?

[Antti Ristimäki]

It is true that the best way for managing standby KSKs would be outside
OpenDNSSEC. However, I also hope you won't change the behaviour of
OpenDNSSEC too radically, because there are probably many people who
have already desinged their procedures based on the current behaviour of
OpenDNSSEC. Changing the default behaviour of ODS to not to have standby
KSK wouldn't be a big deal, though.

By the way, I guess there are not too many people who are able to
purchase additional hardware HSMs from different vendors just in order
to have standby key in different system. Maybe utilizing softHSM would
be an alternative solution? In case of extreme emergency it would be
better than nothing..

> - How do you activate the standby keys?
> Set up a new system. Import the standby keys to OpenDNSSEC. Add the
> DNSKEY of the previous ZSK and KSK to the unsigned zone, because they
> are needed for signatures that are still cached. Start signing the
> zone and publish it. After a safe period of time, you can remove the
> old DS and the post-published ZSK and KSK.

Why do you need to add the DNSKEY of the previous KSK to the unsigned
zone? If someone has the old DNSKEY RRSIG cached, he/she also has the
old DNSKEYs cached and is able to validate the DNSKEY RRset.

Antti