[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Antti Ristimäki aristima at csc.fi
Fri May 28 07:53:07 UTC 2010


The KSK rollover logic seems to have changed quite a bit between
releases 1.0 and 1.1. According to changelog, the current logic seems to
be Double-DNSKEY. With reference to
draft-morris-dnsop-dnssec-key-timing, this probably corresponds to
"Double-Signature" rollover method, right?

This new logic seems to change especially the way how standby KSK keys
are handled. When I initially signed my zone with version 1.1.0, there
was only one KSK key in the DNSKEY RRset and the DNSKEY RRset was signed
with that very key. The standby KSK was not present in the DNSKEY RRset
at all, which I find a bit confusing. The standby key was in "waiting
for ds-seen" state and after giving "key ds-seen <standby-KSK>" the
standby key enters DSPUBLISH state but doesn't appear in the signed
zone. This means that we have a standby DS record in the parent zone but
not the corresponding DNSKEY published in our zone. Or is the KSK
rollover some kind of mixture of Double-Signature and Double-DS logics
or what?

So, what is the logic for rolling KSK in version 1.1.0 and especially
handling the standby KSKs? Draft-morris-dnsop-dnssec-key-timing states
that "Double-Signature (=Double-DNSKEY) method requires that the standby
KSK be included in the DNSKEY RRset; rolling the key then requires just
the introduction of the DS record in the parent". OpenDNSSEC version
1.1.0 doesn't seem to do it exactly this way or am I missing something



More information about the Opendnssec-user mailing list