[Opendnssec-user] Howto publish an additional DNSKEY-record
Michael Braunoeder
mib at nic.at
Thu Dec 1 14:54:25 UTC 2011
Hi Rickard,
Am 01.12.2011 15:48, schrieb Rickard Bellgrim:
>> What I would do is to add the emergency DNSKEY as a normal RR in the
>> plain zone, because OpenDNSSEC doesn't need to maintain its state as a
>> key.
>>
>> Then, in case of a rollover, it should be a matter of adding a new
>> keystore with SoftHSM.
>
> You just add the DNSKEY of the emergency ZSK in the unsigned zone.
Perfect.
> And add a DS of the emergency KSK to the parent zone. But the DS could be
> added later if you feel that you have time for that. You also need to use
> the same algorithm. If not, then it would be an algorithm rollover
> which is not handled in this way.
Yes, all our keys will use the same algorithm.
Thanks,
Michael
More information about the Opendnssec-user
mailing list