DNSSEC key rollover failure

Phil Mayers p.mayers at imperial.ac.uk
Fri Jun 17 20:38:23 UTC 2011


On 06/17/2011 09:35 PM, Phil Mayers wrote:

> In which case you're going to have a serious problems I think. You can't
> delete a DNSKEY which has any extant RRSIGs until $MAX_TTL *after* those
> RRSIGs finally disappear.
>
> There's an RFC describing the key rotation schedules you must use in a
> lot of detail. I can't find the link off-hand, but I will dig into it.

http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-02

See section 3.2.1



More information about the bind-users mailing list