[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Sion Lloyd sion at nominet.org.uk
Tue Jun 1 11:24:33 UTC 2010

On Monday 31 May 2010 11:40:49 am Antti Ristimäki wrote:
> Hi,
> On Fri, 2010-05-28 at 13:02 +0300, Antti Ristimäki wrote:
> > On Fri, 2010-05-28 at 11:34 +0300, Sion Lloyd wrote
> > 
> > > We have 2 situations to consider, "emergency" rollover and scheduled
> > > rollover.
> > > 
> > > The standby key is not used for scheduled rollover, a new key will be
> > > pre- published for that.
> > > 
> > > The standby key will come into use if a rollover command is issued
> > > out-of- sequence. The thinking here is that the submission of the DS
> > > to the parent is likely to be the slower step in the process, so we
> > > can get this out of the way early on before we need to act fast.
> > 
> > OK, this is probably a good idea. But is the scheduled rollover now
> > meant to be initiated only automatically or how does ods-enforcer
> > differentiate a scheduled rollover from an emergency one, if they are
> > both initiated with the same "ods-ksmutil key rollover..." command?

The idea is that you do not need to issue the "key rollover" command for a 
scheduled rollover, only the ds-seen. I see where the confusion comes in 
though, I'll look at making our documentation clearer.

> > In my case, "ods-ksmutil key rollover -z <zone> --keytype KSK" seems to
> > introduce a new KSK in the DNSKEY RRset rather than using the standby
> > KSK. However, this may be due to the fact that my standby KSK is still
> > in "dspublish" state...I guess the standby KSK will enter "dsready" or
> > similar after the standby DS has propagated to caches?
> It seems that if your standby KSK is in "DSREADY" state and you type
> "ods-ksmutil key rollover -z <zone> --keytype KSK", OpenDNSSEC starts
> signing the DNSKEY RRset with the standby KSK, in addition to the active
> KSK, as expected. However, the standby KSK doesn't appear in the DNSKEY
> RRset immediately, which I find weird. That is, the DNSKEY RRset is
> signed with a KSK that is not even present in the zone DNSKEY RRset!?

That does sound odd, can you send me (off list) the signconf that was used at 
this time, if you still have it?

> With regards to my previous mail, it would be very nice indeed to be
> able to trigger the "normal" (i.e. non-emergency) rollover manually, for
> example for testing purposes etc. Now it doesn't seem to be possible.

I can add this to the requirements. If I understand, you would like to shorten 
the lifespan of the currently active key such that a "scheduled" rollover 
begins immediately. I.e. a new key is pre-published.


More information about the Opendnssec-user mailing list