dnsext-2----Page:9
1 2 3 4 5 6 7 8 9 10 11
|
5.3 Key Roll-Over Assume existing keys A and B. 'A' is actively in use (i.e. has been signing the DNSKEY RRSet.) 'B' was the stand-by key. (i.e. has been in the DNSKEY RRSet and is a valid trust anchor, but wasn't being used to sign the RRSet.) Generate a new key pair 'C'. Add 'C' to the DNSKEY RRSet. Set the revocation bit on key 'A'. Sign the RRSet with 'A' and 'B'. 'A' is now revoked, 'B' is now the active key, and 'C' will be the stand-by key once the hold-down expires. The operator SHOULD include the revoked 'A' in the RRSet for at least the remove hold-down time, but may then remove it from the DNSKEY RRSet. |