From: Otto Moerbeek Date: Tue, 8 Jan 2019 13:22:25 +0000 (+0100) Subject: Tweaks to the rollover docs: make a few things explicit. X-Git-Tag: rec-4.2.0-alpha1~56^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3bad708208a89833fd21584b4e7f64553c82813f;p=thirdparty%2Fpdns.git Tweaks to the rollover docs: make a few things explicit. --- diff --git a/docs/guides/kskroll.rst b/docs/guides/kskroll.rst index df1f4c0934..f50ccc0728 100644 --- a/docs/guides/kskroll.rst +++ b/docs/guides/kskroll.rst @@ -7,7 +7,8 @@ understand the terminology, actions and timelines (TTL and RRSIG expiry) involved in rolling a KSK. This How To describes the "Double-Signature Key Signing Key Rollover" -from the above mentioned RFC. +from the above mentioned RFC. The following instruction work for +both a KSK and a CSK. To start the rollover, add an **active** new KSK to the zone (example.net in this case): @@ -27,11 +28,11 @@ the new KSK: pdnsutil show-zone example.net -And communicate this securely to your registrar/parent zone. Now wait -until the new DS is published in the parent zone and at least the TTL -for the DS records has passed. The rollover is now in the "DS Change" -state and can continue to the "DNSKEY Removal" stage by actually -deleting the old KSK. +And communicate this securely to your registrar/parent zone, replacing +the existing data. Now wait until the new DS is published in the +parent zone and at least the TTL for the DS records has passed. The +rollover is now in the "DS Change" state and can continue to the +"DNSKEY Removal" stage by actually deleting the old KSK. .. note:: The key-id for the old KSK is shown in the output of @@ -41,4 +42,5 @@ deleting the old KSK. pdnsutil remove-zone-key example.net KEY-ID +If this zone is of the type 'MASTER', increase the SOA serial. The rollover is now complete.