[Opendnssec-user] KSK rollover logic?

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Feb 22 14:58:53 UTC 2011


On 22 feb 2011, at 11.35, Johan Ihrén wrote:

> I'm playing with KSK rollovers and smashed my head on what appears to be a combination of 
> 
> 1. Parent (not running OpenDNSSEC) assuming Double-Signature (i.e. "add new KSK to child; wait; flip the DS; wait; retire old KSK"). 
> 
> 2. Child (running OpenDNSSEC 1.2.0) assuming Double-DS (i.e. "add new DS to parent; wait; flip KSK; wait; retire old DS").

The child should also assume Double-Signature. That is what OpenDNSSEC does.	

> What happened was that the child got stuck in "dssub" and refused to publish the new DNSKEY for which the DS had been requested. The parent in its turn refused to add a DS for a DNSKEY that was not visible in DNS. Both parties were stubborn ;-)
> 
> Am I missing something obvious here or is Double-DS really the intended default KSK rollover logic? I remember that during the OpenDNSSEC training course that I attended in December there was a bit of confusion about exactly what logic ODS currently implements (I think Rickard said "Double-DS", but I am not entirely sure). Googling a bit seems to imply that ODS should do "Double-Signature" KSK rollovers, so I suspect that this is me failing to find the knob.

I think I said Double-Signature KSK rollover.
http://www.opendnssec.org/wp-content/uploads/2010/12/key.timing.pdf

> My view is that the parent gets to decide the rules and the child has to adopt to that. The alternative of having the child decide simply doesn't work, as the parent would then end up having to treat different children in different ways. I.e. ODS must be able to adopt to the parent requirements. Furthermore, "Double-Signature", being the "first" KSK rollover method we identified, does have a bit of legacy status that would seem to make it reasonable to expect Double-Signature to be supported. 
> 
> Is there some knob somewhere that I'm missing that allows me to kick ODS into behaving according to Double-Signature KSK rollover logic (quite possible)? Otherwise I would argue that this really ought to be considered ASAP.

We currently support Double-Signature KSK and will have support for multiple rollover methods in Enforcer NG (scheduled for this summer).

// Rickard


More information about the Opendnssec-user mailing list