[Opendnssec-user] About removal of KSK

Yuri Schaeffer yuri at nlnetlabs.nl
Tue Dec 15 13:29:43 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Gaolei,

> According to RFC 5011 and RFC 7583, a KSK must be revoked before
> it is removed from the zone. It means that the corresponding DNSKEY
> RRSet should have the Revoked Bit set to '1'.

RFC5011 does state that. Though this is really only applicable to a
very few people. Are you running some sort of root server? If the
answer is no you can ignore 5011.

> I'm wondering if this will be done by OPENDNSSEC automatically
> after a KSK is rolled over manually.

No opendnssec does not revoke keys. It requires a special roll over
with lots of pre and postpublication of keys. In normal operation
OpenDNSSEC manages a DS at the parent.

Well, recently we added some 5011 features. But you probably won't
need it?

https://wiki.opendnssec.org/display/DOCS/RFC5011

//Yuri

> The command line for key rollover is like this:
> 
> $Opendnssec_Home/bin/ods-ksmutil key rollover –z test –t KSK
> 
> Shall we execute some more commands on opendnssec to revoke the
> old KSK or just wait for opendnsec do it automatically?
> 
> Can anyone give some comment on it ?
> 
> ----------------------------------------------------------------------
- --
>
> 
2015-12-15 20:45:42
> gaolei
> 
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iEYEARECAAYFAlZwFccACgkQI3PTR4mhavhRyQCfeH2AdEjXifYKU6I58D1iqqI5
PoUAn2D1IBQNTxxkbzPE3OSL7BtgfbZ5
=R8La
-----END PGP SIGNATURE-----
_______________________________________________
Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user



More information about the Opendnssec-user mailing list