From: Evan Hunt Date: Fri, 4 Dec 2009 20:04:43 +0000 (+0000) Subject: some minor clarifications X-Git-Tag: v9.7.2^2~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2d43cd9d5d9c2d0927f1c747728c5d9c4f3fba3;p=thirdparty%2Fbind9.git some minor clarifications --- diff --git a/README.rfc5011 b/README.rfc5011 index 02aac566a90..fd941fb93b7 100644 --- a/README.rfc5011 +++ b/README.rfc5011 @@ -27,20 +27,19 @@ RFC5011-managed trust anchor will take note of the stand-by KSKs in the zone's DNSKEY RRset, and store them for future reference. The resolver will recheck the zone periodically, and after 30 days, if the new key is still there, then the key will be accepted by the resolver as a valid -trust anchor for the zone. +trust anchor for the zone. Any time after this 30-day acceptance timer +has completed, the active KSK can be revoked, and the zone can be "rolled +over" to the newly accepted key. The easiest way to place a stand-by key in a zone is to use the "smart -signing" features of dnssec-signzone. If a key with a publication date -in the past, but an activation date in the future, "dnssec-signzone -S" -will include the DNSKEY record in the zone, but will not sign with it: +signing" features of dnssec-keygen and dnssec-signzone. If a key with a +publication date in the past, but an activation date which is unset or in +the future, "dnssec-signzone -S" will include the DNSKEY record in the +zone, but will not sign with it: $ dnssec-keygen -K keys -f KSK -P now -A now+2y example.net $ dnssec-signzone -S -K keys example.net -At any time after this 30-day acceptance timer has expired, the active -KSK can be revoked and the zone can be "rolled over" to one of the -standby KSKs. - To revoke a key, the new command "dnssec-revoke" has been added. This adds the REVOKED bit to the key flags and re-generates the K*.key and K*.private files.