Is it ok that old key is removed from zone before corresponding DS is
removed from root?
From the protocol view, if the new DS is already in place, I think it is ok, but nothing I would recommend.

I can see that zkt-signer is automatically running phase3 and removing
key from the zone.
Are you talking about automated KSK rollover, so the parent zone is under control of zkt-signer? And did you made a hierachical setup, thus sub zones are in a sub directory of the parent?

Then, and only then, zkt-signer is able to do an automated KSK rollover.
There are two pieces that have to work together.
a) zkt-signer removes the KSK in the zone in phase 3 and copies the keyset- file to the parent dir

b) In signing the parent zone with dnssec-signzone (called by zkt-signer) the DS records will be included depending on the keys found in the keyset-file.

As far as the signing of the child zone is done before signing of the parent I expect that the DS is not removed before the parent.

If you see a diffrent behavior please explain a bit more your setup, post some logs, etc.

Best regards

Attachment: smime.p7s
Description: S/MIME Kryptografische Unterschrift

Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
zkt-users mailing list

Reply via email to