[Yeti DNS Discuss] Yeti KSK roll status

dbgong dbgong at biigroup.cn
Fri May 5 02:36:59 UTC 2017

Hi Daniel,

When the old KSK(19444) is revoked, the revoke bit is set, then the key id will add 128, that is '19444+128', so we get 19572.
And the key  is not changed, just flags changed to 385 and key id change to 19572.
Please try to use wireshark to analyze the query  '. dnskey'.

On 2017-05-04  23:59 
  Daniel Stirnimann  <daniel.stirnimann at switch.ch> wrote:
>> dig @::1 . soa +short
>> www.yeti-dns.org. tisf.yeti-dns.org. 2017050300 1800 900 604800 86400
> From the dig result, the DNSKEY RRset got from DM-TISF, currently, the
> revoked KSK have not been used by DM-TISF.
> So your resovler did not get the revoked DNSKEY RRset.
> Please check the resovler at next serial number.
"A key" is revoked but it's key id 19572. key id 19444 does not exist
rndc managed-keys status
view: default
next scheduled event: Thu, 04 May 2017 22:31:06 GMT
    name: .
    keyid: 19572
algorithm: RSASHA256
next refresh: Thu, 04 May 2017 22:31:06 GMT
remove at: Sat, 03 Jun 2017 10:31:06 GMT
trust revoked
    keyid: 59302
algorithm: RSASHA256
flags: SEP
next refresh: Thu, 04 May 2017 22:31:06 GMT
trusted since: Sun, 02 Apr 2017 21:20:02 GMT
discuss mailing list
discuss at lists.yeti-dns.org


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.yeti-dns.org/pipermail/discuss/attachments/20170505/aee66b35/attachment.html>

More information about the discuss mailing list