[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Antti Ristimäki aristima at csc.fi
Fri May 28 10:02:49 UTC 2010

On Fri, 2010-05-28 at 11:34 +0300, Sion Lloyd wrote
> We have 2 situations to consider, "emergency" rollover and scheduled rollover.
> The standby key is not used for scheduled rollover, a new key will be pre-
> published for that.
> The standby key will come into use if a rollover command is issued out-of-
> sequence. The thinking here is that the submission of the DS to the parent is 
> likely to be the slower step in the process, so we can get this out of the way 
> early on before we need to act fast.

OK, this is probably a good idea. But is the scheduled rollover now
meant to be initiated only automatically or how does ods-enforcer
differentiate a scheduled rollover from an emergency one, if they are
both initiated with the same "ods-ksmutil key rollover..." command?

In my case, "ods-ksmutil key rollover -z <zone> --keytype KSK" seems to
introduce a new KSK in the DNSKEY RRset rather than using the standby
KSK. However, this may be due to the fact that my standby KSK is still
in "dspublish" state...I guess the standby KSK will enter "dsready" or
similar after the standby DS has propagated to caches?


More information about the Opendnssec-user mailing list