Root zone DNSSEC KSK rollover event - 2018/10/11, 16:00 UTC
Anand Buddhdev
anandb at ripe.net
Fri Sep 28 09:55:16 UTC 2018
On 28/09/2018 11:37, Ray Bellis wrote:
Hi Ray,
> At this time the old key will be removed from the root zone leaving only
> the new key (id 20326) in the zone. If your DNS servers don't know and
> trust the new key at that point then DNSSEC validation errors will occur.
On 11 October, the old key won't be removed. On that day, the new key
will start signing the DNSKEY RRset. The old key (id 19036), will remain
in the root zone; it just won't sign the DNSKEY RRset. Eventually, in
the first quarter of 2019, it will be revoked, and then removed *after*
the hold-down period.
Regards,
Anand
More information about the bind-users
mailing list