DNSSEC key rollover

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 21 21:03:45 CET 2015


On Wed, Jan 21, 2015 at 09:43:18AM +0100, Carsten Strotmann wrote:

> The way I use the key dates is to specify the "retirement" and "deletion"
> only before the new key is generated, e.g. when the rollover starts. That
> way, the rollover can be postponed in time when needed
>
> [...]
> 
> # dnssec-settime -p all Kexample.com.+008+50340
> Created: Wed Jan 21 09:32:35 2015
> Publish: Thu Jan 22 09:32:35 2015
> Activate: Sun Jan 25 09:32:35 2015
> Revoke: UNSET
> Inactive: UNSET
> Delete: UNSET
>
> [...]
>
> 28 days after activation, the rollover process starts by setting the
> inactivation time and creating the successor key:
> 
> # dnssec-settime -I +2d -D +8d Kexample.com.+008+50340
> ./Kexample.com.+008+50340.key
> ./Kexample.com.+008+50340.private
> # dnssec-settime -p all Kexample.com.+008+50340       
> Created: Wed Jan 21 09:32:35 2015
> Publish: Thu Jan 22 09:32:35 2015
> Activate: Sun Jan 25 09:32:35 2015
> Revoke: UNSET
> Inactive: Sun Feb 22 09:37:28 2015
> Delete: Sat Feb 28 09:37:28 2015
> 
> # dnssec-keygen -i 2d -S Kexample.com.+008+50340.key
> example.com

Thanks for posting this, very useful!

This looks like a robust and complete process for ZSKs, could you
take a few minutes to describe any additional or different steps
for SEP keys (KSKs)?  (Especially in relation to DS RR updates, ...).

-- 
	Viktor.


More information about the dane-users mailing list