[Yeti DNS Discuss] FW: KSK revoke issue

Davey Song(宋林健) ljsong at biigroup.cn
Mon Aug 29 01:11:22 UTC 2016


For your information, the Yeti KSK rolling is coming !

 

Davey

 

发件人: 龚道彪 [mailto:dbgong at biigroup.cn] 
发送时间: 2016年8月28日 19:23
收件人: distributors
抄送: Davey(宋林健)
主题: KSK revoke issue

 

Hi folks,

 

Current KSKs stats is as follows.

New KSK(19444):

; This is a key-signing key, keyid 19444, for .
; Created: 20160710140145 (Sun Jul 10 22:01:45 2016)
; Publish: 20160710140145 (Sun Jul 10 22:01:45 2016)
; Activate: 20160830073746 (Tue Aug 30 15:37:46 2016)
; Inactive: 20161128073746 (Mon Nov 28 15:37:46 2016)
; Delete: 20161228073746 (Wed Dec 28 15:37:46 2016)

 

old KSK(55954):

; This is a key-signing key, keyid 55954, for .
; Created: 20150630123127 (Tue Jun 30 20:31:27 2015)
; Publish: 20150630123127 (Tue Jun 30 20:31:27 2015)
; Activate: 20150630123127 (Tue Jun 30 20:31:27 2015)
; Inactive: 20160929055146 (Thu Sep 29 13:51:46 2016)
; Delete: 20161029055146 (Sat Oct 29 13:51:46 2016)

 

The new KSK will activate at 20160830073746.

according the Experiment-KROLL.md( <https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Experiment-KROLL.md> https://github.com/BII-Lab/Yeti-Project/blob/master/doc/Experiment-KROLL.md ) ,

We will  also set the revoked bit on the old KSK. at 20160830073746.

The revoke action will add the Reovke field.

 

The old KSK will be removed 30 days later after the revoked bit is set.

The old KSK MUST permanently be considered invalid as a trust anchor.

 

There are two KSKs in Yeti root zone until the old KSK is removed.

 

So our signer script should be able to handle the revoked KSK.

Please check  the signer script.

 

Thank you.

 

Regards,

--

Kevin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20160829/3de60a36/attachment.html>


More information about the discuss mailing list