[Opendnssec-user] Howto publish an additional DNSKEY-record

Rickard Bellgrim rickard at opendnssec.org
Thu Dec 1 14:48:53 UTC 2011

> What I would do is to add the emergency DNSKEY as a normal RR in the
> plain zone, because OpenDNSSEC doesn't need to maintain its state as a
> key.
> Then, in case of a rollover, it should be a matter of adding a new
> keystore with SoftHSM.

You just add the DNSKEY of the emergency ZSK in the unsigned zone. And
add a DS of the emergency KSK to the parent zone. But the DS could be
added later if you feel that you have time for that. You also need to
use the same algorithm. If not, then it would be an algorithm rollover
which is not handled in this way.

// Rickard

More information about the Opendnssec-user mailing list