[Opendnssec-user] planning key rollovers

Siôn Lloyd sion at nominet.org.uk
Wed Oct 23 13:45:48 UTC 2013

On 23/10/13 08:40, Mathieu Arnold wrote:
> Hi,
> I'd like to have the ZSK rollovers spread along the two months period that
> they last so that I don't get 1500 new keys at once.
> I could write a script iterating the zones and sleepping <two
> months>/<number of zones> between them, but it seems a bit counter
> productive to have a script running that long.
> So, I'm trying to see what the code does, but I'm not exactly certain I
> understand it, it seems that if I want to update the database manually, for
> each zone, I should :
> update the dnsseckey to retire when I want it to, and update the keypair
> associed to it with compromisedflag=1, fixedDate=1.
> Before I go on and all hell breaks loose, am I missing something ?

This should work; although you don't need to set the compromised flag
(fixed date alone should be enough).

It should then look like keys which were imported from outside of ODS -
which have their retirement time fixed at the point of import.

If keys are shared you could have some strange effects where a new zone
gets a key that would otherwise be about to be retired - so keys would
be in use for longer than you might expect.

You will also get some strange effects if the time you allow before
retirement is not enough to publish and propagate the replacement key.
In this case the old key will not be retired until the new one is ready.

I'm just thinking of stuff that might trigger any monitoring you have
around this process...


More information about the Opendnssec-user mailing list