[Opendnssec-user] DelegationSignerSubmitCommand key identification

Daniel Salzman daniel.salzman at nic.cz
Mon May 14 13:51:04 UTC 2012

Yes, but:
- Algorithm for key_id computation is very simple and collision space is 
- In case of automatic KSK rollover it is necessary to have certainty of 
uniqueness. Use of CKA_ID is pure solution.
- RFC 4034 says:
"However, it is essential to note that the key tag is not a unique
identifier.  It is theoretically possible for two distinct DNSKEY RRs
to have the same owner name, the same algorithm, and the same key
tag.  The key tag is used to limit the possible candidate keys, but
it does not uniquely identify a DNSKEY record.  Implementations MUST
NOT assume that the key tag uniquely identifies a DNSKEY RR."


On 05/14/2012 03:03 PM, Mathieu Arnold wrote:
> +--On 14 mai 2012 14:45:30 +0200 Rickard Bellgrim<rickard at opendnssec.org>
> wrote:
> |>  I am trying to set up automatic KSK rollover with OpenDNSSEC. If I use
> |>  DelegationSignerSubmitCommand option
> |>  for starting my external program, I am missing any information about key
> |>  identifier relating to DNSKEY record,
> |>  that should be subsequently used for key ds-seen. Although there is
> |>  possibility to compute key_id manually,
> |>  this is not ideal approach due to ambiguity. It would be useful to add
> |>  CKA_ID in comment to DelegationSignerSubmitCommand
> |>  parameter (if required in configuration).
> |
> | Yes, that is a drawback that you have to query the "key list" to get
> | the CKA_ID of the key in the correct state when there are duplicate
> | key tags.
> It should be fairly rare to have a tag conflict for two keys on *one* zone,
> no ?

More information about the Opendnssec-user mailing list