[Opendnssec-user] Howto publish an additional DNSKEY-record

Michael Braunoeder mib at nic.at
Thu Dec 1 14:54:25 UTC 2011

Hi Rickard,

Am 01.12.2011 15:48, schrieb Rickard Bellgrim:
>> What I would do is to add the emergency DNSKEY as a normal RR in the
>> plain zone, because OpenDNSSEC doesn't need to maintain its state as a
>> key.
>> Then, in case of a rollover, it should be a matter of adding a new
>> keystore with SoftHSM.
> You just add the DNSKEY of the emergency ZSK in the unsigned zone.


> And add a DS of the emergency KSK to the parent zone. But the DS could be
> added later if you feel that you have time for that.  You also need to use
 > the same algorithm. If not, then it would be an algorithm rollover
> which is not handled in this way.

Yes, all our keys will use the same algorithm.


More information about the Opendnssec-user mailing list