PowerPoint Presentation

-127

Regular Rollover

nChild generates new zone signing key and signs with two keys.
nQuery for the parental DS and remember the TTL you will need it later
ndnssec-signzone Ð k Ksub.tld.+5+12345.key Ðk Ksub.tld.+5+67890.key
nUpload the new key to the parent. The parent will generate a new DS RR.
nCheck if all parental servers (slaves and masters) have picked up the change, wait another TTL before you remove the old key.


	Waiting for Òanother TTLÓ is vital. One wants to be sure that the DS RRs that point to the old Keys have expired from caches. If a revolver gets a DS record pointing to a KEY that is not available than the chain of trust breaks and your zone may be marked ÒBADÓ.