[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Sion Lloyd sion at nominet.org.uk
Fri May 28 08:34:39 UTC 2010

On Friday 28 May 2010 8:53:07 am Antti Ristimäki wrote:
> Hi,
> The KSK rollover logic seems to have changed quite a bit between
> releases 1.0 and 1.1. According to changelog, the current logic seems to
> be Double-DNSKEY. With reference to
> draft-morris-dnsop-dnssec-key-timing, this probably corresponds to
> "Double-Signature" rollover method, right?
> This new logic seems to change especially the way how standby KSK keys
> are handled. When I initially signed my zone with version 1.1.0, there
> was only one KSK key in the DNSKEY RRset and the DNSKEY RRset was signed
> with that very key. The standby KSK was not present in the DNSKEY RRset
> at all, which I find a bit confusing. The standby key was in "waiting
> for ds-seen" state and after giving "key ds-seen <standby-KSK>" the
> standby key enters DSPUBLISH state but doesn't appear in the signed
> zone. This means that we have a standby DS record in the parent zone but
> not the corresponding DNSKEY published in our zone. Or is the KSK
> rollover some kind of mixture of Double-Signature and Double-DS logics
> or what?
> So, what is the logic for rolling KSK in version 1.1.0 and especially
> handling the standby KSKs? Draft-morris-dnsop-dnssec-key-timing states
> that "Double-Signature (=Double-DNSKEY) method requires that the standby
> KSK be included in the DNSKEY RRset; rolling the key then requires just
> the introduction of the DS record in the parent". OpenDNSSEC version
> 1.1.0 doesn't seem to do it exactly this way or am I missing something
> essential?

We have 2 situations to consider, "emergency" rollover and scheduled rollover.

The standby key is not used for scheduled rollover, a new key will be pre-
published for that.

The standby key will come into use if a rollover command is issued out-of-
sequence. The thinking here is that the submission of the DS to the parent is 
likely to be the slower step in the process, so we can get this out of the way 
early on before we need to act fast.

I'm guessing that we need to make the documentation of the KSK rollover a bit 


More information about the Opendnssec-user mailing list