Hi, The KSK rollover logic seems to have changed quite a bit between releases 1.0 and 1.1. According to changelog, the current logic seems to be Double-DNSKEY. With reference to draft-morris-dnsop-dnssec-key-timing, this probably corresponds to "Double-Signature" rollover method, right?
This new logic seems to change especially the way how standby KSK keys are handled. When I initially signed my zone with version 1.1.0, there was only one KSK key in the DNSKEY RRset and the DNSKEY RRset was signed with that very key. The standby KSK was not present in the DNSKEY RRset at all, which I find a bit confusing. The standby key was in "waiting for ds-seen" state and after giving "key ds-seen <standby-KSK>" the standby key enters DSPUBLISH state but doesn't appear in the signed zone. This means that we have a standby DS record in the parent zone but not the corresponding DNSKEY published in our zone. Or is the KSK rollover some kind of mixture of Double-Signature and Double-DS logics or what? So, what is the logic for rolling KSK in version 1.1.0 and especially handling the standby KSKs? Draft-morris-dnsop-dnssec-key-timing states that "Double-Signature (=Double-DNSKEY) method requires that the standby KSK be included in the DNSKEY RRset; rolling the key then requires just the introduction of the DS record in the parent". OpenDNSSEC version 1.1.0 doesn't seem to do it exactly this way or am I missing something essential? Regards, Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
