[Opendnssec-user] Howto publish an additional DNSKEY-record
Rickard Bellgrim
rickard at opendnssec.org
Fri Dec 2 13:01:27 UTC 2011
> When switching over to the emergency HSM, I think you should also add the
> DNSKEY record of the old HSM's ZSK to the unsigned zone file that is then
> signed using the emergency HSM. That is because a resolver can still have a
> signature made with the old ZSK in the cache but needs to fetch the DNSKEY
> RRset from the authoritative servers.
Yes, that is correct. As a reference, you can read our documentation
on how to migrate to OpenDNSSEC. The emergency case is similar to the
system rollover. Remember that the key rollover timings do apply.
https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC
Before the system rollover you need to:
* Extract the DS corresponding to the KSK in the new system and
publish it in the parent zone.
* Publish the new ZSK in the old system.
* Publish the old ZSK in the new system.
System rollover:
* Re-delegate the zone in the parent zone.
After the system rollover you need to:
* Remove the old DS from the parent zone.
* Remove the new ZSK from the old system.
* Remove the old ZSK from the new system.
More information about the Opendnssec-user
mailing list