dnsext-2----Page:11
1 2 3 4 5 6 7 8 9 10 11
|
Example – Stand-by Key Compromised Using the same assumptions and naming conventions as Key Roll-Over above: Generate a new key pair 'C'. Add 'C' to the DNSKEY RRSet. Set the revocation bit on key 'B'. Sign the RRSet with 'A' and 'B'. 'B' is now revoked, 'A' remains the active key, and 'C' will be the stand-by key once the hold-down expires. 'B' SHOULD continue to be included in the RRSet for the remove hold-down time. |