> What I would do is to add the emergency DNSKEY as a normal RR in the > plain zone, because OpenDNSSEC doesn't need to maintain its state as a > key. > > Then, in case of a rollover, it should be a matter of adding a new > keystore with SoftHSM.
You just add the DNSKEY of the emergency ZSK in the unsigned zone. And add a DS of the emergency KSK to the parent zone. But the DS could be added later if you feel that you have time for that. You also need to use the same algorithm. If not, then it would be an algorithm rollover which is not handled in this way. // Rickard _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
