State diagram for DNSsec key lifecycle
Axel Rau
Axel.Rau at Chaos1.DE
Mon Feb 13 18:48:56 UTC 2012
Am 11.02.2012 um 11:33 schrieb Axel Rau:
>
> Am 10.02.2012 um 01:57 schrieb Mark Andrews:
>
>> You don't submitt the initial DS until the KSK is active and any old
>> state about the DNSKEY as clear caches. I recommend "activate" +
>> "publish" at the same time.
> I see. draft-ietf-dnsop-dnssec-key-timing-02 uses the term 'used for signing' as synonym for 'active' on page 22.
> I will update the diagram.
Here is the next revision with comments from Mark and Jeff incorporated (same URL):
https://www.chaos1.de/svn-public/repos/network-tools/DNSsec/trunk/dnssec_key_states.pdf
I'm still unsure about submitting the follow-up DS while its KSK not yet active.
Please review carefully and comment. Simplifications are also welcome.
Axel
PS: If someone cares, here is the cert of our root ca:
https://www.chaos1.de/cacert.pem
---
PGP-Key:29E99DD6 ☀ +49 151 2300 9283 ☀ computing @ chaos claudius
More information about the bind-users
mailing list