DNSSEC key rollover

Jan Münnich lists at jan-muennich.de
Tue Jan 20 12:27:03 CET 2015

On 20.01.2015, at 04:47, John <john at klam.ca> wrote:

> I wrote myself a small bash script to handle ZSK rollover, it might handle KSK but I have tried it.
> All it does is to setup for a DNSSEC-keygen. My idea is to automatically pick a ZSK and use it as the base for the next key set, as per the -S param in DNSSEC-keygen.
> The only real additions are the calculation of an Inactivation and a Deletion date based upon the new keys  Activation date retrieved from the base key.
> I use a param which I call the "active life" (Active - Inactive) and a second param called "retirement" (Inactive - deletion).

Just in case that you don't know this already: DNSSEC Zone Key Tool (http://www.zonekeytool.de) is a combination of scripts to handle key rollover with BIND.

Regards, Jan

More information about the dane-users mailing list