-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Gaolei,
> According to RFC 5011 and RFC 7583, a KSK must be revoked before > it is removed from the zone. It means that the corresponding DNSKEY > RRSet should have the Revoked Bit set to '1'. RFC5011 does state that. Though this is really only applicable to a very few people. Are you running some sort of root server? If the answer is no you can ignore 5011. > I'm wondering if this will be done by OPENDNSSEC automatically > after a KSK is rolled over manually. No opendnssec does not revoke keys. It requires a special roll over with lots of pre and postpublication of keys. In normal operation OpenDNSSEC manages a DS at the parent. Well, recently we added some 5011 features. But you probably won't need it? https://wiki.opendnssec.org/display/DOCS/RFC5011 //Yuri > The command line for key rollover is like this: > > $Opendnssec_Home/bin/ods-ksmutil key rollover –z test –t KSK > > Shall we execute some more commands on opendnssec to revoke the > old KSK or just wait for opendnsec do it automatically? > > Can anyone give some comment on it ? > > ---------------------------------------------------------------------- - -- > > 2015-12-15 20:45:42 > gaolei > > > _______________________________________________ Opendnssec-user > mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iEYEARECAAYFAlZwFccACgkQI3PTR4mhavhRyQCfeH2AdEjXifYKU6I58D1iqqI5 PoUAn2D1IBQNTxxkbzPE3OSL7BtgfbZ5 =R8La -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
