[Pdns-users] Rolling Keys Over
Craig Whitmore
lennon at orcon.net.nz
Mon Jun 13 03:38:06 UTC 2011
I got this around the ZSK/KSK around the wrong way (I was a little tired)..
And found it already activates the new key is added so the activate is not
needed as on the webpage ? Does this look all right now?
I noticed when you secure a domain it adds an unactivated zsk which I could
roll to in the 1st instance ?
Maybe I should do a lot more reading about thisĀ.
or ZSK Roll over..
pdnssec show-zone domain.co.nz (find oldkey-id)
pdnssec add-zone-key domain.co.nz zsk 1024
pdnsec deactivate-zone-key domain.co.nz <oldkey-id>
pdnsec remove-zone-key domain.co.nz <oldkey-id>
KSK Roll Over
pdnssec show-zone domain.co.nz (to find oldkey-id)
pdnssec add-zone-key domain.co.nz ksk 2048
Send new DS's to upstream (but don't delete the old one)
Wait until the upstream has new DS's in their DNS.
Remove old DS's from upstream
pdnssec deactivate-zone-key domain.co.nz <oldkey-id>
pdnssec remove-zone-key domain.co.nz <oldkey-id>
I found the slave does not update at all so I also have to increase the
Serial number on the roll overs as well or the slave does not update..
Comments?
Thanks
Craig
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20110613/1eab5abd/attachment-0001.html>
More information about the Pdns-users
mailing list