[Opendnssec-user] Force a fast key rollover

Rick van Rein (OpenFortress) rick at openfortress.nl
Fri Jun 28 08:13:26 UTC 2013

Hello Klaus,

For testing, you should probably create a policy that rolls faster than usual, and that assumes smaller TTLs on the various parts of the infrastructure.  Don't forget the parent's TTL for the DS and NS records in that case.

If your keys are ever compromised, you should probably remove the DS from the parent as your first step -- expressing withdrawal of trust in the old key.  You might consider removing the zone from OpenDNSSEC at that time, and re-entering it to get a new key.

During normal usage, the gentle pace of key rollover will be just what you need, or more precisely, what the heavily cached DNS infrastructure makes you want to remain online.  It's a bit of a nuisance when testing, but we usually just do something else in the meantime -- or we setup a special testing policy.


More information about the Opendnssec-user mailing list