Skip to end of metadata
Go to start of metadata

In theory a variety of key rollover mechanisms are possible and are described in detail in:

Also see:

A summary is given below:

ZSK MethodKSK MethodDescription

Publish DNSKEY before the RRSIG


Publish DNSKEY and RRSIG at the same time. For a KSK, this happens before the DS is published

Double RR-sigN/A

Publish RRSIG before the DNSKEY


Publish DS before DNSKEY


Publish DNSKEY and DS in parallel.


OpenDNSSEC currently supports the following mechanisms:

  • ZSK: Pre-Publication
  • KSK: Double-Signature

Future versions of OpenDNSSEC will support additional mechanisms. 


ZSK rollovers: Pre-Publication


  •  First key:             Ipub = Dprp + min(TTLsoa, SOAmin)
  •  Future keys:        Ipub = Dprp + TTLkey

  •  TpubS <= Tact + Lzsk - Ipub
  •  Iret = Dsgn + Dprp + TTLsig

KSK rollovers: Double-Signature


  •  Ipub = Dprp + TTLkey
  •  TpubS <= Tact + Lksk - Dreg - Ipub
  •  Iret = DprpP + TTLds



  • No labels