Will auto-dnssec perform full KSK rollovers?

[Evan Hunt]

> When testing auto-dnssec set to maintain, I am seeing the keys get adjusted
> according to their -R <revoke_time> -I <inactive_time> and -D <delete_time>.
> Should I also see new KSKs be generated and used in the signing process? Or
> do you have to manually drop in new keys? It wasn't clear to me what should
> happen... 

We had hoped to have named generate keys when needed, but we didn't have
time to get that feature ready for 9.7.0.  There's syntax reserved for it
("auto-dnssec create;", if memory serves), but it's stubbed out.  The plan
is to add that feature in 9.7.1, or some successor.

In the meantime, yes, you need to generate keys prior to signing or
rolling.  I would suggest not setting the revoke, inactive, or delete
timers on any key until a successor key (with the same name and algorithm,
and appropriate flags) is already in place.  (Another future feature is to
have named keep track of successor keys for you, and warn you if situations
arise when you might accidentally break the chain.)

For my own little zones I don't roll keys frequently, but if I did, I'd
write a script to generate a new key, set the timeouts on the previous key
for some future time, then set the publication and activation dates on the
new key to match, and then call "rndc sign <zone>".  I'd have cron run the
script on the 15th of the month, say, with the key roll scheduled to take
place on the 1st of the following month; that gives me two weeks to
inspect, and then named does the actual key roll without human
intervention.

(And then I'd mail my pal Evan at ISC and say "Hey, I have this awesome
script I wrote, want to put it in contrib?"  That's what I'd do, yep.)

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.