[Opendnssec-user] Documentation on the state of keys?

sion at nominet.org.uk sion at nominet.org.uk
Fri Feb 5 14:22:25 UTC 2010


> I cannot find a documentation of the various states of the keys, as
> displayed by ksmutil key list.
>
> A README file in enforcer/utils and the source of ksmutil just give
> the list:
>
> key states: GENERATED|PUBLISHED|READY|ACTIVE|RETIRED|REVOKED|DEAD
>
> without explanations. By observation, I can see that a key goes
> through the steps:
>
> PUBLISHED -> READY -> ACTIVE -> RETIRED
>
> but I never see GENERATED and DEAD and wonder what are their uses.
>
> (If I generate keys with ksmutil key generate, I do not see them in
> the output of ksmutil key list.)

All of the key timing and states are described in:

http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01

this link used to be in the documentation, I'll have a look now to see if
it has been removed.

GENERATED keys are not assigned to zones (which happens at publication
time).
DEAD keys are ones which no longer need to appear in any zones. (AS opposed
to RETIRED; which are not being used to sign, but still being published.)

Sion




More information about the Opendnssec-user mailing list