> When switching over to the emergency HSM, I think you should also add the > DNSKEY record of the old HSM's ZSK to the unsigned zone file that is then > signed using the emergency HSM. That is because a resolver can still have a > signature made with the old ZSK in the cache but needs to fetch the DNSKEY > RRset from the authoritative servers.
Yes, that is correct. As a reference, you can read our documentation on how to migrate to OpenDNSSEC. The emergency case is similar to the system rollover. Remember that the key rollover timings do apply. https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC Before the system rollover you need to: * Extract the DS corresponding to the KSK in the new system and publish it in the parent zone. * Publish the new ZSK in the old system. * Publish the old ZSK in the new system. System rollover: * Re-delegate the zone in the parent zone. After the system rollover you need to: * Remove the old DS from the parent zone. * Remove the new ZSK from the old system. * Remove the old ZSK from the new system. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
