Hi,all
According to RFC 5011 and RFC 7583, a KSK must be revoked before it is
removed from the zone.
It means that the corresponding DNSKEY RRSet should have the Revoked Bit
set to '1'.
I'm wondering if this will be done by OPENDNSSEC automatically after a KSK
is rolled over manually.
The command line for key rollover is like this:
$Opendnssec_Home/bin/ods-ksmutil key rollover �Cz test �Ct KSK
Shall we execute some more commands on opendnssec to revoke the old KSK or
just wait for opendnsec do it automatically?
Can anyone give some comment on it ?
2015-12-15 20:45:42
gaolei
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
