Over the last week I have been implementing the Roll over of the keys on my test system and found a few issues. If you want to roll over a KSK you have to add a new one , then tell your upstream the new DS's and then after a while delete the old one.. When you use add-zone-key it sets it to activate initially which I don't want to do.
Following RFC -4641 on how the roll overs work. I want to with KSK's when I want to roll over * Add a new KSK * Increase Serial * Tell Upstream I have 2 new DS's (so they have 4) * Wait until TTL expires * Activate NEW KSK * Deactivate New KSK * Delete old DS's from Upstream (so they have 2 again) * Wait Until TTL Expires * Delete OLD KSK * Repeat each time for KSK rollover For a ZSK roll over I (as there are 2 added initially 1 active and 1 deactive) * Set Deactivated Key to Active * Set OLD Activated Key to Deactivated * Delete OLD Key * Add a New Key set to Deactivated * Repeat Each time for Also with disable-dnssec you really do want to delete the old keys as they will be no use to anyone and if you enable again if stuff everything up So my patch. (patch against 2216) * Fixes Formatting of displaying pdnssec usage * Checks Usage of commands so no seg faults when typing incorrect number of argeuments * Removes the Keys when you disable-dnssec instead of leaving them there * When adding a new Key it does not activate it as you don't want to do this normally Comments? Or am I reading the RFC's wrongly on how you should do a roll over and how powerdnssec implements it?
pdnssec.cc.diff
Description: Binary data
_______________________________________________ Pdns-users mailing list Pdns-users@mailman.powerdns.com http://mailman.powerdns.com/mailman/listinfo/pdns-users
