Single-key rollover

Alexander Gurvitz alex at
Mon Jun 18 14:58:55 UTC 2012


Is it possible with BIND to perform "Single Type Signing Key rollover"
as described in chapter 4.1.4 of rfc4641bis-11:

(The idea is to have zone with single key instead of ZSK/KSK pair)

   There is a second variety of this rollover, during which one
   introduces a new DNSKEY into the key set and signs the ****key set with
   both keys while signing the zone data with only the original
   DNSKEY_S_1*** * One replaces the DNSKEY_S_1 signatures with signatures
   made with DNSKEY_S_2 at the moment of DNSKEY_S_1 removal.

As far as I understand, it's not possible with BIND, am I getting it right ?

Thanks in advance,
Alexander Gurvitz,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list