[Opendnssec-user] Howto publish an additional DNSKEY-record
Antti Ristimäki
antti.ristimaki at csc.fi
Fri Dec 2 05:58:34 UTC 2011
Hi,
On 2011-12-01 16:54, Michael Braunoeder wrote:
> Hi Rickard,
>
> Am 01.12.2011 15:48, schrieb Rickard Bellgrim:
>>> What I would do is to add the emergency DNSKEY as a normal RR in the
>>> plain zone, because OpenDNSSEC doesn't need to maintain its state as a
>>> key.
>>>
>>> Then, in case of a rollover, it should be a matter of adding a new
>>> keystore with SoftHSM.
>>
>> You just add the DNSKEY of the emergency ZSK in the unsigned zone.
>
> Perfect.
When switching over to the emergency HSM, I think you should also add
the DNSKEY record of the old HSM's ZSK to the unsigned zone file that is
then signed using the emergency HSM. That is because a resolver can
still have a signature made with the old ZSK in the cache but needs to
fetch the DNSKEY RRset from the authoritative servers.
Antti
More information about the Opendnssec-user
mailing list