Single-key rollover

Mark Andrews marka at
Tue Jun 19 01:32:37 UTC 2012

In message <CABUciRn0eVX5Gz8Ke0eLTHw0u0LnE9ExXX3s2zSPUKQP+3D3=A at>
, Alexander Gurvitz writes:
> Hello
> Is it possible with BIND to perform "Single Type Signing Key rollover"
> as described in chapter 4.1.4 of rfc4641bis-11:
> (The idea is to have zone with single key instead of ZSK/KSK pair)
>    There is a second variety of this rollover, during which one
>    introduces a new DNSKEY into the key set and signs the ****key set with
>    both keys while signing the zone data with only the original
>    DNSKEY_S_1*** * One replaces the DNSKEY_S_1 signatures with signatures
>    made with DNSKEY_S_2 at the moment of DNSKEY_S_1 removal.
> As far as I understand, it's not possible with BIND, am I getting it right ?
> Thanks in advance,
> Alexander Gurvitz,

That paragraph from 4.1.4 is just plain wrong and following it will
lead to cached data that can't be validated once retrieved.

Lets say that all data in the zone has a TTL of 3600.

At T - 3500 you have retrieved the DNSKEY while validating a MX RRset.
At T - 100 you lookup a A record and validate it with the previously validated
At T you update the zone's contents as per above.
At T + 100 the DNSKEY RRset expires from the cache.
At T + 200 a validating stub resolver looks up the A record and gets
RRSIG(KEY1).  It then does a DNSKEY retrieval and only gets KEY2.

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list