As I said it depends on which KSK-rollover method you are using. OpenDNSSEC uses Double-Signature: (see https://wiki.opendnssec.org/display/DOCS/Key+Rollovers).
Thus, it should be sufficient to have only the DS of the active KSK (on the standby KSKs) in the parent zone. regards Klaus On 25.08.2014 11:40, Bas van den Dikkenberg wrote: > I plan to have 2 standby keys as far as I onderstand I have to publish at > least the active key and both the standby keys right ? > Wat about the with status retired(not dead) > > > -----Oorspronkelijk bericht----- > Van: Klaus Darilion [mailto:[email protected]] > Verzonden: maandag 25 augustus 2014 11:08 > Aan: Bas van den Dikkenberg; [email protected] > Onderwerp: Re: [Opendnssec-user] what key's do i need to submit to Registar. > > > > On 23.08.2014 17:16, Bas van den Dikkenberg wrote: >> Hi , >> >> >> >> A question about the key states, I am the process of scripting the >> updating the KSK to my registerars. >> >> >> >> Does the output of ods-ksmutil key export -zone zome.tld provide me >> the keys I need to publish to the registar/tld >> >> >> >> Do retire and publish also needed to be included ? > > It depends on your KSK rollover method. See: > > http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-04#section-2.2 > > regards > Klaus > _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
