DNS Key Status Types and Filenames
RRSIG DNSKEY\dksk1\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk2\u
Status Key Filename used for dnssec-zkt |
\^ Type Flags public private signing? label |
active ZSK 256 .key .private y act ive |
KSK 257 .key .private y act ive |
published ZSK 256 .key .published n pub lished |
KSK 257 .key .private n sta ndby |
depreciated (retired) ZSK 256 .key .depreciated n dep reciated |
revoked KSK 385 .key .private y rev oked |
removed KSK 257 k*.key k*.private n - |
sep KSK 257 .key - n sep |
(master KSK 257 M...key .private n -) |
.. |
2 Key rollover
Zone signing key rollover (pre-publish RFC4641)
action create change remove |
keys newkey sig key old key |
zsk1 active active depreciated |
zsk2 published active active |
RRSIG zsk1 zsk1 zsk2 zsk2 |
2 Key signing key rollover (double signature RFC4641)
action create change remove |
keys newkey delegation old key |
ksk\d1\u active active active |
ksk\d2\u active active active |
DNSKEY RRSIG ksk1 ksk1,ksk2 ksk1,ksk2 ksk2 |
DS at parent DS\d1\u DS\d1\u DS\d2\u DS\d2\u |
2 Key signing key rollover (rfc5011)
action newkey change delegation |
keys & rollover & remove old key |
ksk\d1\u active revoke\v'-0.2'\(dg\v'+0.2' |
ksk\d2\u standby active active |
ksk\d3\u standby\v'-0.2'\(dd\v'+0.2' standby |
DNSKEY RRSIG ksk1 ksk1,ksk2 ksk2 |
Parent DS DS\d1\u DS\d1\u DS\d2\u |
DS\d2\u DS\d2\u DS\d3\u |
\v'-0.2'\(dg\v'0.2' Have to remain until the remove hold-down time is expired, which is 30days at a minimum.
\v'-0.2'\(dd\v'0.2' Will be the standby key after the hold-down time is expired
Add holdtime \(eq max(30days, TTL of DNSKEY)