[Opendnssec-user] Howto publish an additional DNSKEY-record

Rickard Bellgrim rickard at opendnssec.org
Fri Dec 2 13:01:27 UTC 2011

> When switching over to the emergency HSM, I think you should also add the
> DNSKEY record of the old HSM's ZSK to the unsigned zone file that is then
> signed using the emergency HSM. That is because a resolver can still have a
> signature made with the old ZSK in the cache but needs to fetch the DNSKEY
> RRset from the authoritative servers.

Yes, that is correct. As a reference, you can read our documentation
on how to migrate to OpenDNSSEC. The emergency case is similar to the
system rollover. Remember that the key rollover timings do apply.


Before the system rollover you need to:
* Extract the DS corresponding to the KSK in the new system and
publish it in the parent zone.
* Publish the new ZSK in the old system.
* Publish the old ZSK in the new system.

System rollover:
* Re-delegate the zone in the parent zone.

After the system rollover you need to:
* Remove the old DS from the parent zone.
* Remove the new ZSK from the old system.
* Remove the old ZSK from the new system.

More information about the Opendnssec-user mailing list