[Opendnssec-user] Howto publish an additional DNSKEY-record

Antti Ristimäki antti.ristimaki at csc.fi
Fri Dec 2 05:58:34 UTC 2011


On 2011-12-01 16:54, Michael Braunoeder wrote:
> Hi Rickard,
> Am 01.12.2011 15:48, schrieb Rickard Bellgrim:
>>> What I would do is to add the emergency DNSKEY as a normal RR in the
>>> plain zone, because OpenDNSSEC doesn't need to maintain its state as a
>>> key.
>>> Then, in case of a rollover, it should be a matter of adding a new
>>> keystore with SoftHSM.
>> You just add the DNSKEY of the emergency ZSK in the unsigned zone.
> Perfect.

When switching over to the emergency HSM, I think you should also add 
the DNSKEY record of the old HSM's ZSK to the unsigned zone file that is 
then signed using the emergency HSM. That is because a resolver can 
still have a signature made with the old ZSK in the cache but needs to 
fetch the DNSKEY RRset from the authoritative servers.


More information about the Opendnssec-user mailing list