DNS Key Status Types and Filenames
RRSIG DNSKEY\dksk1\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk1,ksk2\u DNSKEY\dksk2\u
| Status Key Filename used for dnssec-zkt |
| \^ Type Flags public private signing? label |
| active ZSK 256 .key .private y act ive |
| KSK 257 .key .private y act ive |
| published ZSK 256 .key .published n pub lished |
| KSK 257 .key .private n sta ndby |
| depreciated (retired) ZSK 256 .key .depreciated n dep reciated |
| revoked KSK 385 .key .private y rev oked |
| removed KSK 257 k*.key k*.private n - |
| sep KSK 257 .key - n sep |
| (master KSK 257 M...key .private n -) |
| .. |
2 Key rollover
Zone signing key rollover (pre-publish RFC4641)
| action create change remove |
| keys newkey sig key old key |
| zsk1 active active depreciated |
| zsk2 published active active |
| RRSIG zsk1 zsk1 zsk2 zsk2 |
2 Key signing key rollover (double signature RFC4641)
| action create change remove |
| keys newkey delegation old key |
| ksk\d1\u active active active |
| ksk\d2\u active active active |
| DNSKEY RRSIG ksk1 ksk1,ksk2 ksk1,ksk2 ksk2 |
| DS at parent DS\d1\u DS\d1\u DS\d2\u DS\d2\u |
2 Key signing key rollover (rfc5011)
| action newkey change delegation |
| keys & rollover & remove old key |
| ksk\d1\u active revoke\v'-0.2'\(dg\v'+0.2' |
| ksk\d2\u standby active active |
| ksk\d3\u standby\v'-0.2'\(dd\v'+0.2' standby |
| DNSKEY RRSIG ksk1 ksk1,ksk2 ksk2 |
| Parent DS DS\d1\u DS\d1\u DS\d2\u |
| DS\d2\u DS\d2\u DS\d3\u |
\v'-0.2'\(dg\v'0.2' Have to remain until the remove hold-down time is expired, which is 30days at a minimum.
\v'-0.2'\(dd\v'0.2' Will be the standby key after the hold-down time is expired
Add holdtime \(eq max(30days, TTL of DNSKEY)