[Opendnssec-user] About removal of KSK
gaolei
gaolei at knet.cn
Tue Dec 15 12:59:14 UTC 2015
Hi,all
According to RFC 5011 and RFC 7583, a KSK must be revoked before it is removed from the zone.
It means that the corresponding DNSKEY RRSet should have the Revoked Bit set to '1'.
I'm wondering if this will be done by OPENDNSSEC automatically after a KSK is rolled over manually.
The command line for key rollover is like this:
$Opendnssec_Home/bin/ods-ksmutil key rollover ¨Cz test ¨Ct KSK
Shall we execute some more commands on opendnssec to revoke the old KSK or just wait for opendnsec do it automatically?
Can anyone give some comment on it ?
2015-12-15 20:45:42
gaolei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20151215/dcb326cd/attachment-0001.htm>
-------------- next part --------------
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list