[Opendnssec-user] KSK Rollover in 1.1

[Anirban Mukherjee]

Is there some detailed documentation regarding the enhanced KSK
rollover functionality introduced in version 1.1 ? Looked for it but
was not able to find it.

I was experimenting with automatic/semi-automatic KSK rollover and
have some doubts :-

After step 6) below, what should be the action performed by the
DSSubmit command ?
- If ds-seen is issued for K3 with --no-retire, both K2 and K3 get
into active state
- If ds-seen is issued for K3 without --no-retire, K3 becomes active
and K2 is retired
Both the above situations are probably not correct. And if we do not
issue ds-seen for K3 at all, no rollover occurs when K2's lifetime
comes to an end.

Regards,
Anirban


1) K1 publish K2 dssub               Zone:K1
2) K1 ready   K2 dssub               Zone:K1

=> DSSubmit cmd fired by Enforcer with K1,K2
[Send K1,K2 DS records to parent registry
Wait
issue ds-seen cmd on K1 -> makes K1 active
issue ds-seen cmd on K2 -> moves K2 to dspublish]

3) K1 active K2 dspublish            Zone:K1
4) K1 active K2 dsready              Zone:K1
.....
.....
5) K1 active K2 keypublish K3 publish            Zone: K1,K2,K3
6) K1 retire  K2 active  K3 ready  K4 ds-sub   Zone: K1,K2,K3
[Rollover has occurred]

DSSubmit cmd fired by Enforcer with K1,K2,K3,K4
[ Send K2,K3 DS records to parent registry
what to do here ?....]