[Opendnssec-user] Version 1.1.0 and KSK rollover logic

Antti Ristimäki aristima at csc.fi
Mon May 31 10:40:49 UTC 2010


On Fri, 2010-05-28 at 13:02 +0300, Antti Ristimäki wrote:
> On Fri, 2010-05-28 at 11:34 +0300, Sion Lloyd wrote
> > We have 2 situations to consider, "emergency" rollover and scheduled rollover.
> > 
> > The standby key is not used for scheduled rollover, a new key will be pre-
> > published for that.
> > 
> > The standby key will come into use if a rollover command is issued out-of-
> > sequence. The thinking here is that the submission of the DS to the parent is 
> > likely to be the slower step in the process, so we can get this out of the way 
> > early on before we need to act fast.
> OK, this is probably a good idea. But is the scheduled rollover now
> meant to be initiated only automatically or how does ods-enforcer
> differentiate a scheduled rollover from an emergency one, if they are
> both initiated with the same "ods-ksmutil key rollover..." command?
> In my case, "ods-ksmutil key rollover -z <zone> --keytype KSK" seems to
> introduce a new KSK in the DNSKEY RRset rather than using the standby
> KSK. However, this may be due to the fact that my standby KSK is still
> in "dspublish" state...I guess the standby KSK will enter "dsready" or
> similar after the standby DS has propagated to caches?

It seems that if your standby KSK is in "DSREADY" state and you type
"ods-ksmutil key rollover -z <zone> --keytype KSK", OpenDNSSEC starts
signing the DNSKEY RRset with the standby KSK, in addition to the active
KSK, as expected. However, the standby KSK doesn't appear in the DNSKEY
RRset immediately, which I find weird. That is, the DNSKEY RRset is
signed with a KSK that is not even present in the zone DNSKEY RRset!?

With regards to my previous mail, it would be very nice indeed to be
able to trigger the "normal" (i.e. non-emergency) rollover manually, for
example for testing purposes etc. Now it doesn't seem to be possible.



More information about the Opendnssec-user mailing list