DNSSEC key rollover

John john at klam.ca
Tue Jan 20 04:47:59 CET 2015


I wrote myself a small bash script to handle ZSK rollover, it might 
handle KSK but I have tried it.
All it does is to setup for a DNSSEC-keygen. My idea is to automatically 
pick a ZSK and use it as the base for the next key set, as per the -S 
param in DNSSEC-keygen.
The only real additions are the calculation of an Inactivation and a 
Deletion date based upon the new keys  Activation date retrieved from 
the base key.
I use a param which I call the "active life" (Active - Inactive) and a 
second param called "retirement" (Inactive - deletion).

A couple of questions:
Does anybody know if key rolling is going to be part of Bind (as part 
of  maintain/inline) maybe?
Has the been any discussion on basing the +/-nn part of the date/time 
params, not on today, but on one of the existing params when the -S 
option is used?



-- 
John Allen
KLaM
------------------------------------------
Inside every older person is a younger person wondering what the hell 
happened!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4268 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://mail.sys4.de/cgi-bin/mailman/private/dane-users/attachments/20150119/5172ece7/attachment.bin>


More information about the dane-users mailing list