contrib/zkt/doc/KeyRollover.ms

   1 .NH 1
   2 DNS Key Status Types and Filenames
   3 .PP
   4 .TS
   5 cfB     | cfB     s     | cfB   s       | cfB   | cfB
   6 cfB     | cfB   | cfB   | cfB   | cfB   | cfB   | cfB
   7 l       | l     | n     | l     | l     | c     | lfCW  .
   8 Status  Key     Filename        used for        dnssec-zkt
   9 \^      Type    Flags   public  private signing?        label
  10 _
  11 active  ZSK     256     .key    .private        y       act ive
  12         KSK     257     .key    .private        y       act ive
  13 .sp 0.2
  14 published       ZSK     256     .key    .published      n       pub lished
  15         KSK     257     .key    .private        n       sta ndby
  16 .sp 0.2
  17 depreciated (retired)   ZSK     256     .key    .depreciated    n       dep reciated
  18 .sp 0.2
  19 revoked KSK     385     .key    .private        y       rev oked
  20 .sp 0.2
  21 removed KSK     257     k*.key  k*.private      n       -
  22 .sp 0.2
  23 sep     KSK     257     .key    -       n       sep
  24 .ig
  25 .sp 0.2
  26 (master KSK     257     M...key .private        n       -)
  27 ..
  28 .TE
  29 .SP 2
  30 .NH 1
  31 Key rollover
  32 .PP
  33 .NH 2
  34 Zone signing key rollover (pre-publish RFC4641)
  35 .PP
  36 .TS
  37 rfB      cfB    |cfB    |cfB    |cfB
  38 lfB     |cfB    |cfB    |cfB    |cfB
  39 l       |l      |l      |l      |l      .
  40 action          create  change  remove
  41 keys            newkey  sig key old key
  42 _
  43 zsk1    active  active  depreciated
  44 zsk2            published       active  active
  45 .sp 0.3
  46 RRSIG   zsk1    zsk1    zsk2    zsk2
  47 .TE
  48 .SP 2
  49 .NH 2
  50 Key signing key rollover (double signature RFC4641)
  51 .PP
  52 .TS
  53 rfB      cfB    |cfB    |cfB    |cfB
  54 lfB     |cfB    |cfB    |cfB    |cfB
  55 l       |l      |l      |l      |l      .
  56 action          create  change  remove
  57 keys            newkey  delegation      old key
  58 _
  59 ksk\d1\u        active  active  active
  60 ksk\d2\u                active  active  active
  61 .sp 0.3
  62 DNSKEY RRSIG    ksk1    ksk1,ksk2       ksk1,ksk2       ksk2
  63 .sp 0.3
  64 DS at parent    DS\d1\u DS\d1\u DS\d2\u DS\d2\u
  65 .TE
  66 .\"RRSIG        DNSKEY\dksk1\u  DNSKEY\dksk1,ksk2\u     DNSKEY\dksk1,ksk2\u     DNSKEY\dksk2\u
  67 .SP 2
  68 .NH 2
  69 Key signing key rollover (rfc5011)
  70 .PP
  71 .TS
  72 rfB      cfB    |cfB    |cfB
  73 lfB     |cfB    |cfB    |cfB
  74 l       |l      |l      |l      .
  75 action          newkey  change delegation
  76 keys            & rollover      & remove old key
  77 _
  78 ksk\d1\u        active  revoke\v'-0.2'\(dg\v'+0.2'
  79 ksk\d2\u        standby active  active
  80 ksk\d3\u                standby\v'-0.2'\(dd\v'+0.2'     standby
  81 .sp 0.3
  82 DNSKEY RRSIG    ksk1    ksk1,ksk2       ksk2
  83 .sp 0.3
  84 Parent DS       DS\d1\u DS\d1\u DS\d2\u
  85         DS\d2\u DS\d2\u DS\d3\u
  86 .TE
  87 .LP
  88 \v'-0.2'\(dg\v'0.2'
  89 Have to remain until the remove hold-down time is expired,
  90 which is 30days at a minimum.
  91 .LP
  92 \v'-0.2'\(dd\v'0.2'
  93 Will be the standby key after the hold-down time is expired
  94 .br
  95 Add holdtime \(eq max(30days, TTL of DNSKEY)