DNSSEC key rollover failure
Phil Mayers
p.mayers at imperial.ac.uk
Fri Jun 17 20:38:23 UTC 2011
On 06/17/2011 09:35 PM, Phil Mayers wrote:
> In which case you're going to have a serious problems I think. You can't
> delete a DNSKEY which has any extant RRSIGs until $MAX_TTL *after* those
> RRSIGs finally disappear.
>
> There's an RFC describing the key rotation schedules you must use in a
> lot of detail. I can't find the link off-hand, but I will dig into it.
http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing-02
See section 3.2.1
More information about the bind-users
mailing list