[Opendnssec-user] Auditor and KSK rollovers

Antti Ristimäki aristima at csc.fi
Tue Jun 22 06:46:55 UTC 2010


It seems that the ods-auditor doesn't deal perfectly with the current
(version 1.1.0) KSK rollover logic. When the KSK rollover is being
initiated (that is, a new KSK is introduced in the zone and used to sign
the DNSKEY RRset) and when the zone is signed for the next time, the
auditor complains:

ods-auditor[3894]: Key (32345) has gone straight to active use without a prepublished phase

The auditor seems to expect that a new key is always prepublished, as is
done with ZSK rollovers.

When the zone is signed for the second time after KSK rollover
initiation, the auditor passes normally. So, currently we will miss one
zone update round when KSK is rolled and the auditor is used. This is
not a major issue, but not a desired behaviour, either.



More information about the Opendnssec-user mailing list