-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathzsk_key_rollover.txt
39 lines (21 loc) · 1.19 KB
/
zsk_key_rollover.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
DNSSEC ZSK Key Rollover for Inline Signed Zones
## change to dnssec key directory
cd <your dnssec key directory>
===============================================================================================================================
## use dnssec-settime to set inactive time (now + 10 minutes) and deletion time (now + 15 minutes) on current ZSK
## dnssec-settime: warning: Permissions on the file <current ZSK> have changed from 0664 to 0600 as a result of this operation.
dnssec-settime -I +10mi -D +15mi <current zsk>
## change group owner back to bind user for all dnssec keys in directory
chgrp bind K*
## add read/write permissions to bind for all dnssec keys in directory
chmod g+rw K*
==================================================================
## generate new dnssec successor key with activation time equals inactivation time of current dnssec key and set prepublication interval of 5 minutes before activation time
dnssec-keygen -S <current zsk> -i 5mi
## change group owner back to bind user for all dnssec keys
chgrp bind K*
## add read/write permissions to bind for all dnssec keys
chmod g+rw K*
## (re)load all dnssec keys for specific zone
rndc loadkeys <zone>
###### done