DNSSEC key rollover
lists at jan-muennich.de
Tue Jan 20 12:27:03 CET 2015
On 20.01.2015, at 04:47, John <john at klam.ca> wrote:
> I wrote myself a small bash script to handle ZSK rollover, it might handle KSK but I have tried it.
> All it does is to setup for a DNSSEC-keygen. My idea is to automatically pick a ZSK and use it as the base for the next key set, as per the -S param in DNSSEC-keygen.
> The only real additions are the calculation of an Inactivation and a Deletion date based upon the new keys Activation date retrieved from the base key.
> I use a param which I call the "active life" (Active - Inactive) and a second param called "retirement" (Inactive - deletion).
Just in case that you don't know this already: DNSSEC Zone Key Tool (http://www.zonekeytool.de) is a combination of scripts to handle key rollover with BIND.
More information about the dane-users