Step 1: starting situation

Written by Roland van Rijswijk in category: Architecture, Procedures, Technical

The diagram above shows the starting situation on the source signer. The starting situation shown is a typical snapshot of the state of a signer that uses the “ZSK pre-publication” rollover strategy in which a ZSK is pre-published before it is made active and in which old signatures are gradually rolled to the new key during a key rollover.

The diagram shows the active DS in the parent zone at the top. This DS “certifies” the active KSK for the zone, depicted below it. In turn, this KSK signs the entire DNSKEY set, which will include an active ZSK (depicted in the middle, directly below the KSK), and may include an old ZSK (which is still being published because there are still signatures in use that depend on it) and may include a new pre-published ZSK.

The authoritative name servers are publishing zone data that is output by the source signer at this moment in the process. This continues to be the case until the document explicitly mentions that this changes.

Record the characteristics such as the maximum zone TTL and the SOA serial number of the zone. You can use this worksheet to do this.

Comments are closed