[Opendnssec-user] Rollovers between imported keys

Djordje Antic djordje.antic at gmail.com
Wed Mar 7 14:00:07 UTC 2018


I use OpenDNSSEC 2.1.3 and SoftHSM 2.3.0.

Is it possible to import externally pregenerated KSK/ZSK keys and use
them for signing, with automatic rollover between them?

I import them correctly to the SoftHSM and to the enforcer (in
generate or any other state) and the keys are properly seen with key
list command.

The issue is in rollovers. There are no rollovers between them, all keys:
- eventually pass to active state (each one after its inception time,
I tried setting it to a future time),
- are being used to produce signatures and
- get rolled over at the same time (after the lifetime of the last key
passes) with a new enforcer generated key.

Is this by design?

I have seen that support for offline keys (KSR/SKR scheme) is
something that is planned for a future release and only for KSK.

Best regards,

More information about the Opendnssec-user mailing list