The KSK rollover is usually done at the end of its lifetime. But a key rollover can be forced before that by issuing the rollover command.
- Check the status of your keys:
sudo rndc dnssec -status labbX.examples.nu- Initiate a KSK rollover:
sudo rndc dnssec -rollover -key <KEY ID> labbX.examples.nu- Check the status of your keys again, to see that a new KSK has been generated:
sudo rndc dnssec -status labbX.examples.nu- Verify that the dnskey record is published:
dig @127.0.0.1 labbX.examples.nu dnskey +multi- generate a DS record for the new key
sudo dnssec-dsfromkey -2 /var/cache/bind/KlabbX.examples.nu.+013+<KEY ID>.key-
Ask your teacher to update the DS in the parent zone.
-
Wait until the new DS has been uploaded. Check the DS with the following command:
dig @ns1.examples.nu labbX.examples.nu DS- Tell BIND that the new DS is published in the parent zone:
sudo rndc dnssec -checkds -key <KEY ID> published labbX.examples.nu-
Ask your teacher to remove the old the DS in the parent zone.
-
Wait until the old DS has been removed. Check the DS with the following command:
dig @ns1.examples.nu labbX.examples.nu DS- Tell BIND that the old DS has been removed from the parent zone:
sudo rndc dnssec -checkds -key <KEY ID> withdrawn labbX.examples.nu- Wait for BIND to remove the old key from the zone. This should only take a few minutes. You can check periodically with:
sudo rndc dnssec -status labbX.examples.nuor
dig @127.0.0.1 labbX.examples.nu dnskey +multiNext Section: Algorithm Rollover