[Opendnssec-user] Rollovers between imported keys

Hoda Rohani hoda at nlnetlabs.nl
Thu Mar 8 09:47:50 UTC 2018

Hello Djordje,

Thanks for your report.

Unfortunately you can not define any relation between keys with this command which rollover needs them. So enforcer
cannot diagnose any dependencies between keys imported and assume all of them are independent.

I need to talk about your scenario internally, maybe we could improve enforcer behavior in those cases.


On 07-03-18 15:00, Djordje Antic wrote:
> Hi,
> I use OpenDNSSEC 2.1.3 and SoftHSM 2.3.0.
> Is it possible to import externally pregenerated KSK/ZSK keys and use
> them for signing, with automatic rollover between them?
> I import them correctly to the SoftHSM and to the enforcer (in
> generate or any other state) and the keys are properly seen with key
> list command.
> The issue is in rollovers. There are no rollovers between them, all keys:
> - eventually pass to active state (each one after its inception time,
> I tried setting it to a future time),
> - are being used to produce signatures and
> - get rolled over at the same time (after the lifetime of the last key
> passes) with a new enforcer generated key.
> Is this by design?
> I have seen that support for offline keys (KSR/SKR scheme) is
> something that is planned for a future release and only for KSK.
> Best regards,
> Djordje
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list