From the protocol view, if the new DS is already in place, I think it is ok, but nothing I would recommend.Is it ok that old key is removed from zone before corresponding DS is removed from root?
Are you talking about automated KSK rollover, so the parent zone is under control of zkt-signer? And did you made a hierachical setup, thus sub zones are in a sub directory of the parent?I can see that zkt-signer is automatically running phase3 and removing key from the zone.
Then, and only then, zkt-signer is able to do an automated KSK rollover. There are two pieces that have to work together.a) zkt-signer removes the KSK in the zone in phase 3 and copies the keyset- file to the parent dir
b) In signing the parent zone with dnssec-signzone (called by zkt-signer) the DS records will be included depending on the keys found in the keyset-file.
As far as the signing of the child zone is done before signing of the parent I expect that the DS is not removed before the parent.
If you see a diffrent behavior please explain a bit more your setup, post some logs, etc.
Best regards Holger
smime.p7s
Description: S/MIME Kryptografische Unterschrift
------------------------------------------------------------------------------ Virtualization & Cloud Management Using Capacity Planning Cloud computing makes use of virtualization - but cloud computing also focuses on allowing computing to be delivered as a service. http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________ zkt-users mailing list zkt-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/zkt-users