Commit e2d43cd9 authored by Evan Hunt's avatar Evan Hunt

some minor clarifications

parent 08ce4218
......@@ -27,20 +27,19 @@ RFC5011-managed trust anchor will take note of the stand-by KSKs in the
zone's DNSKEY RRset, and store them for future reference. The resolver
will recheck the zone periodically, and after 30 days, if the new key is
still there, then the key will be accepted by the resolver as a valid
trust anchor for the zone.
trust anchor for the zone. Any time after this 30-day acceptance timer
has completed, the active KSK can be revoked, and the zone can be "rolled
over" to the newly accepted key.
The easiest way to place a stand-by key in a zone is to use the "smart
signing" features of dnssec-signzone. If a key with a publication date
in the past, but an activation date in the future, "dnssec-signzone -S"
will include the DNSKEY record in the zone, but will not sign with it:
signing" features of dnssec-keygen and dnssec-signzone. If a key with a
publication date in the past, but an activation date which is unset or in
the future, "dnssec-signzone -S" will include the DNSKEY record in the
zone, but will not sign with it:
$ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net
$ dnssec-signzone -S -K keys example.net
At any time after this 30-day acceptance timer has expired, the active
KSK can be revoked and the zone can be "rolled over" to one of the
standby KSKs.
To revoke a key, the new command "dnssec-revoke" has been added. This adds
the REVOKED bit to the key flags and re-generates the K*.key and K*.private
files.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment