Skip to end of metadata
Go to start of metadata

RFC5011 Automated Updates of DNS Security (DNSSEC) Trust Anchors

In normal circumstances RFC5011 isn't needed by anyone but the root. As of version 1.4.8 OpenDNSSEC is able to perform RFC5011 style KSK key rollovers.


To enable RFC5011 add the <RFC5011/> element to the <KSK> section in the KASP like so:

  <Policy name="default">
        <Algorithm length="2048">8</Algorithm>

New KSK's created with this policy will roll according to the RFC. Since there are no DS records involved, the ds-submit actions are skipped. This means that the KSK will never enter the ready state but will go directly in the active state. Rollovers will take longer than usual because a new key is only been accepted once it has been published and signed by the old key for 30 days. Likewise, after the new key is accepted, the old KSK is revoked. This revocation is signed by both the old and the new key and published for 30 days.

  • No labels