.NH 1
DNS Key Status Types and Filenames
.PP
.TS
cfB | cfB s | cfB s | cfB | cfB
cfB | cfB | cfB | cfB | cfB | cfB | cfB
l | l | n | l | l | c | lfCW .
Status Key Filename used for dnssec-zkt
\^ Type Flags public private signing? label
_
active ZSK 256 .key .private y act ive
KSK 257 .key .private y act ive
.sp 0.2
published ZSK 256 .key .published n pub lished
KSK 257 .key .private n sta ndby
.sp 0.2
depreciated (retired) ZSK 256 .key .depreciated n dep reciated
.sp 0.2
revoked KSK 385 .key .private y rev oked
.sp 0.2
removed KSK 257 k*.key k*.private n -
.sp 0.2
sep KSK 257 .key - n sep
.ig
.sp 0.2
(master KSK 257 M...key .private n -)
..
.TE
.SP 2
.NH 1
Key rollover
.PP
.NH 2
Zone signing key rollover (pre-publish RFC4641)
.PP
.TS
rfB cfB |cfB |cfB |cfB
lfB |cfB |cfB |cfB |cfB
l |l |l |l |l .
action create change remove
keys newkey sig key old key
_
zsk1 active active depreciated
zsk2 published active active
.sp 0.3
RRSIG zsk1 zsk1 zsk2 zsk2
.TE
.SP 2
.NH 2
Key signing key rollover (double signature RFC4641)
.PP
.TS
rfB cfB |cfB |cfB |cfB
lfB |cfB |cfB |cfB |cfB
l |l |l |l |l .
action create change remove
keys newkey delegation old key
_
ksk\d1\u active active active
ksk\d2\u active active active
.sp 0.3
DNSKEY RRSIG ksk1 ksk1,ksk2 ksk1,ksk2 ksk2
.sp 0.3
DS at parent DS\d1\u DS\d1\u DS\d2\u DS\d2\u
.TE
.\"RRSIG DNSKEY\dksk1\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk2\u
.SP 2
.NH 2
Key signing key rollover (rfc5011)
.PP
.TS
rfB cfB |cfB |cfB
lfB |cfB |cfB |cfB
l |l |l |l .
action newkey change delegation
keys & rollover & remove old key
_
ksk\d1\u active revoke\v'-0.2'\(dg\v'+0.2'
ksk\d2\u standby active active
ksk\d3\u standby\v'-0.2'\(dd\v'+0.2' standby
.sp 0.3
DNSKEY RRSIG ksk1 ksk1,ksk2 ksk2
.sp 0.3
Parent DS DS\d1\u DS\d1\u DS\d2\u
DS\d2\u DS\d2\u DS\d3\u
.TE
.LP
\v'-0.2'\(dg\v'0.2'
Have to remain until the remove hold-down time is expired,
which is 30days at a minimum.
.LP
\v'-0.2'\(dd\v'0.2'
Will be the standby key after the hold-down time is expired
.br
Add holdtime \(eq max(30days, TTL of DNSKEY)