[Opendnssec-user] About removal of KSK
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Dec 15 13:29:43 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Gaolei,
> According to RFC 5011 and RFC 7583, a KSK must be revoked before
> it is removed from the zone. It means that the corresponding DNSKEY
> RRSet should have the Revoked Bit set to '1'.
RFC5011 does state that. Though this is really only applicable to a
very few people. Are you running some sort of root server? If the
answer is no you can ignore 5011.
> I'm wondering if this will be done by OPENDNSSEC automatically
> after a KSK is rolled over manually.
No opendnssec does not revoke keys. It requires a special roll over
with lots of pre and postpublication of keys. In normal operation
OpenDNSSEC manages a DS at the parent.
Well, recently we added some 5011 features. But you probably won't
need it?
https://wiki.opendnssec.org/display/DOCS/RFC5011
//Yuri
> The command line for key rollover is like this:
>
> $Opendnssec_Home/bin/ods-ksmutil key rollover –z test –t KSK
>
> Shall we execute some more commands on opendnssec to revoke the
> old KSK or just wait for opendnsec do it automatically?
>
> Can anyone give some comment on it ?
>
> ----------------------------------------------------------------------
- --
>
>
2015-12-15 20:45:42
> gaolei
>
>
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iEYEARECAAYFAlZwFccACgkQI3PTR4mhavhRyQCfeH2AdEjXifYKU6I58D1iqqI5
PoUAn2D1IBQNTxxkbzPE3OSL7BtgfbZ5
=R8La
-----END PGP SIGNATURE-----
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list