[Opendnssec-user] DNSKEY set signed with KSK in retire state.
antti.ristimaki at csc.fi
Thu Nov 19 17:05:19 UTC 2015
----- Original Message -----
> From: "Maurice" <maurice at info.nl>
> To: "Rick van Rein" <rick at openfortress.nl>
> Cc: opendnssec-user at lists.opendnssec.org
> Sent: Thursday, 19 November, 2015 15:40:29
> Subject: Re: [Opendnssec-user] DNSKEY set signed with KSK in retire state.
> Hi Rick,
> I understand that the KSK stays a while in the zone file so that key sets signed
> with this key can expire from caches. But why is the KSK in retired state still
> used to sign the DNSKEY set ? Looking further in to it I also see that KSK`s in
> the publish state produce RRSIGS for the Keyset.
> Problably this is by design. For ZSK`s only the one in the ready state is used
> for signing. But probably all the KSK`s, independently of state, produce a
> DNSKEY RRSIG.
An RRset and its RRSIG propagate as an atomic entry in DNS caches and for DNSKEY RRset this means that a newly introduced KSK and the corresponding RRSIG will find their way into resolver caches at the same time. As such there is no need to pre-publish a new KSK DNSKEY until it can be used to sign the DNSKEY RRset. For ZSK this is not true for obvious reasons.
Regarding the retired KSK, the DNSKEY RRset must be signed with it as long as the old DS record corresponding to the retired KSK can be still present in caches.
More information about the Opendnssec-user