[Opendnssec-user] KSK Rollover and Key/Policy Change
Rickard Bellgrim
rickard.bellgrim at iis.se
Mon Jan 31 13:19:03 UTC 2011
On 27 jan 2011, at 19.13, Scott Armitage wrote:
> During a testing / setup phase I was signing a .eu zone and the KSK was published in the ISC DLV. I have now reached the stage of putting the KSK in the parent nameserver, only to discover they don't support protocol 8. I therefore have to generate a new KSK using protocol 7. To do this, I created a new kasp policy (as other zones share the default) and changed the KSK to protocol 7. However, when I issue a KSK rollover for the zone it doesn't show a new key when I list the keys. I have issued an update-all (and even ods-control stop / start), am I doing something wrong or should a new key appear in the key database?
It works for me.
- Create kasp with algorithm 8
- ods-ksmutil setup
- ods-control start
- Wait until you can mark the KSK as ds-seen
- ods-ksmutil key ds-seen -z <zone> -x <keytag>
- Update kasp to algorithm 7
- ods-ksmtuil update kasp
- ods-ksmutil key rollover -z <zone> --keytype ksk
- Wait until you can mark the KSK as ds-seen
- ods-ksmutil key ds-seen -z <zone> -x <keytag>
Note that this is considered to be an algorithm rollover which is not currently supported (will be supported in Enforcer NG). E.g. will some timings be wrong and this will be detected by the Auditor.
// Rickard
More information about the Opendnssec-user
mailing list