<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; color: rgb(0, 0, 0); font-size: 14px; font-family: Calibri, sans-serif; "><div>Over the last week I have been implementing the Roll over of the keys on my test system and found a few issues. If you want to roll over a KSK you have to add a new one , then tell your upstream the new DS's and then after a while delete the old one.. When you use add-zone-key it sets it to activate initially which I don't want to do.</div><div><br></div><div>Following RFC -4641 on how the roll overs work.</div><div><font class="Apple-style-span" face="monospace"><span class="Apple-style-span" style="white-space: pre-wrap; font-size: medium;"><br></span></font></div><div>I want to with KSK's when I want to roll over</div><ul><li>Add a new KSK</li><li>Increase Serial</li><li>Tell Upstream I have 2 new DS's (so they have 4)</li><li>Wait until TTL expires</li><li>Activate NEW KSK</li><li>Deactivate New KSK</li><li>Delete old DS's from Upstream (so they have 2 again)</li><li>Wait Until TTL Expires</li><li>Delete OLD KSK</li><li>Repeat each time for KSK rollover</li></ul><div>For a ZSK roll over I (as there are 2 added initially 1 active and 1 deactive)</div><ul><li>Set Deactivated Key to Active</li><li>Set OLD Activated Key to Deactivated</li><li>Delete OLD Key</li><li>Add a New Key set to Deactivated</li><li>Repeat Each time for</li></ul><div>Also with disable-dnssec you really do want to delete the old keys as they will be no use to anyone and if you enable again if stuff everything up</div><div><br></div><div>So my patch. (patch against 2216)</div><ul><li>Fixes Formatting of displaying pdnssec usage</li><li>Checks Usage of commands so no seg faults when typing incorrect number of argeuments</li><li>Removes the Keys when you disable-dnssec instead of leaving them there</li><li>When adding a new Key it does not activate it as you don't want to do this normally</li></ul><div>Comments? Or am I reading the RFC's wrongly on how you should do a roll over and how powerdnssec implements it?</div><div><br></div><div><br></div></body></html>