[Opendnssec-user] About removal of KSK

gaolei gaolei at knet.cn
Tue Dec 15 12:59:14 UTC 2015


    According to RFC 5011 and RFC 7583, a KSK must be revoked before it is removed from the zone.

    It means that the corresponding DNSKEY RRSet should have the Revoked Bit set to '1'.

    I'm wondering if this will be done by OPENDNSSEC automatically after a KSK is rolled over manually. 

    The command line for key rollover is like this:

    $Opendnssec_Home/bin/ods-ksmutil key rollover ¨Cz test ¨Ct KSK
    Shall we execute some more commands on opendnssec to revoke the old KSK or just wait for opendnsec do it automatically?
    Can anyone give some comment on it ?

2015-12-15 20:45:42
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20151215/dcb326cd/attachment-0001.htm>
-------------- next part --------------
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org

More information about the Opendnssec-user mailing list