Hi, On Fri, 2010-05-28 at 13:02 +0300, Antti Ristimäki wrote: > On Fri, 2010-05-28 at 11:34 +0300, Sion Lloyd wrote > > We have 2 situations to consider, "emergency" rollover and scheduled > > rollover. > > > > The standby key is not used for scheduled rollover, a new key will be pre- > > published for that. > > > > The standby key will come into use if a rollover command is issued out-of- > > sequence. The thinking here is that the submission of the DS to the parent > > is > > likely to be the slower step in the process, so we can get this out of the > > way > > early on before we need to act fast. > > OK, this is probably a good idea. But is the scheduled rollover now > meant to be initiated only automatically or how does ods-enforcer > differentiate a scheduled rollover from an emergency one, if they are > both initiated with the same "ods-ksmutil key rollover..." command? > > In my case, "ods-ksmutil key rollover -z <zone> --keytype KSK" seems to > introduce a new KSK in the DNSKEY RRset rather than using the standby > KSK. However, this may be due to the fact that my standby KSK is still > in "dspublish" state...I guess the standby KSK will enter "dsready" or > similar after the standby DS has propagated to caches?
It seems that if your standby KSK is in "DSREADY" state and you type "ods-ksmutil key rollover -z <zone> --keytype KSK", OpenDNSSEC starts signing the DNSKEY RRset with the standby KSK, in addition to the active KSK, as expected. However, the standby KSK doesn't appear in the DNSKEY RRset immediately, which I find weird. That is, the DNSKEY RRset is signed with a KSK that is not even present in the zone DNSKEY RRset!? With regards to my previous mail, it would be very nice indeed to be able to trigger the "normal" (i.e. non-emergency) rollover manually, for example for testing purposes etc. Now it doesn't seem to be possible. Regards, Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
