[dnssec-deployment] RFC 5011
Holger Zuleger
Holger.Zuleger at hznet.de
Wed Nov 26 04:48:34 EST 2008
bmanning at vacation.karoshi.com wrote:
> Has -anyone- (other than presumeably Mike) built an implementation of RFC 5011, automated
> key rollover? I'm dusting off my crufty old Threshold code, but that is not "spec".
>
The Zone Key Tool (http://www.hznet.de/dns/zkt) implements an automated
KSK rollover according to the rules of RFC5011, so the focus is on zone
administration not on the validator side.
BTW, does anybody know which of the trusted islands beeing out there are
currently doing RFC5011 rollovers?
It would be very helpful to get some operational experience if, for
example, RIPE or the IANA testbed for the signed root would decide to
revoke the old key signing keys before they get rid of the zone.
Regards
Holger
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5006 bytes
Desc: S/MIME Cryptographic Signature
Url : http://dnssec-deployment.org/pipermail/dnssec-deployment/attachments/20081126/436aea5c/attachment.bin
More information about the Dnssec-deployment
mailing list