OpenDNSSEC Documentation
Space shortcuts
OpenDNSSEC Project Wiki

Links

OpenDNSSEC Developer Wiki
OpenDNSSEC Documentation
SoftHSM Developer Wiki
SoftHSM Documentation

OpenDNSSEC Home

All Versions

OpenDNSSEC v2.0
OpenDNSSEC v1.4
OpenDNSSEC v1.3
OpenDNSSEC v1.2.0
OpenDNSSEC v1.1.1
OpenDNSSEC v1.1.0
OpenDNSSEC v1.0.0

 

Current location:

OpenDNSSEC Documentation 1.4

Child pages
  • Key Rollovers
Skip to end of metadata
Go to start of metadata

In theory a variety of key rollover mechanisms are possible and are described in detail in: http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-02

Also see: http://tools.ietf.org/html/draft-mekking-dnsop-dnssec-key-timing-bis-02

A summary is given below:

ZSK MethodKSK MethodDescription
Pre-PublicationN/A

Publish DNSKEY before the RRSIG

Double-SignatureDouble-signature

Publish DNSKEY and RRSIG at the same time. For a KSK, this happens before the DS is published

Double RR-sigN/A

Publish RRSIG before the DNSKEY

N/ADouble-DS

Publish DS before DNSKEY

N/ADouble-RRset

Publish DNSKEY and DS in parallel.

 

OpenDNSSEC currently supports the following mechanisms:

  • ZSK: Pre-Publication
  • KSK: Double-Signature

Future versions of OpenDNSSEC will support additional mechanisms. 

 

ZSK rollovers: Pre-Publication

 

  •  First key:             Ipub = Dprp + min(TTLsoa, SOAmin)
  •  Future keys:        Ipub = Dprp + TTLkey

  •  TpubS <= Tact + Lzsk - Ipub
  •  Iret = Dsgn + Dprp + TTLsig

KSK rollovers: Double-Signature

 

  •  Ipub = Dprp + TTLkey
  •  TpubS <= Tact + Lksk - Dreg - Ipub
  •  Iret = DprpP + TTLds

 

 

  • No labels

      

www.opendnssec.org

Report a bug

Mailing list