1 / 19

Step-by-Step Guide for DNSSEC Key Rollover Process

This guide provides a detailed step-by-step process for performing a DNSSEC key rollover using ZKT Keyman. The procedure includes generating new keys, propagating the key signing key (KSK), and removing the old keys. It emphasizes the importance of waiting for DNS propagation and checking the status of the rollover. Follow the outlined steps to ensure a successful transition of security parameters with minimal disruption. Ensure that you complete each phase carefully, as outlined, to maintain the integrity of your domain's DNSSEC configuration.

ember
Télécharger la présentation

Step-by-Step Guide for DNSSEC Key Rollover Process

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. ZKTRullanycklar Torbjörn Eklöv

  2. zkt-keyman

  3. “Steg 1” • zkt-keyman -c ./dnssec.conf-1 xn--eklv-7qa.se. • zkt-signer -c ./dnssec.conf -r -N /etc/bind/named.conf

  4. dsset dig ds +short xn--eklv-7qa.se. 11400 7 2 19AD0EE1B0198B3BCC30B1B7FF1EABEE79B2D012D5D06423DABC445F 0663D4B0 11400 7 1 3D2B838E7231A7DCC592E79B135685256AA1432E Ny!!

  5. Lägguppnycke{ln|larna}

  6. Domänhanteraren Hämta de nyanycklarna

  7. “Steg 2” • zkt-keyman -c ./dnssec.conf-2 xn--eklv-7qa.se. • zkt-keyman: ksk_rollover (phase2): you have to wait for the propagation of the new KSK (at least 2971sec or 49m31s)

  8. zkt-keyman -c dnssec.conf -0 xn--eklv-7qa.se.

  9. Kontrollera!

  10. Vänta!

  11. Testaoch till slut händerdet! Direkt mot .se TLD NS Mot er resolver

  12. “Steg 2” • zkt-keyman -c dnssec.conf -2 xn--eklv-7qa.se. • save new ksk in parent file

  13. “Steg 3” • zkt-keyman -c dnssec.conf -3 xn--eklv-7qa.se. • zkt-keyman: ksk_rollover (phase3): you have to wait for DS propagation (at least 3856sec or 1h4m16s)

  14. zkt-keyman -c dnssec.conf -0 xn--eklv-7qa.se.

  15. Nycklar nu

  16. Domänhanteraren Ta bortnycklarnaochhämtaigen

  17. “Steg 3” • zkt-keyman -c dnssec.conf -3 xn--eklv-7qa.se. • remove parentfile • old ksk renamed

  18. Dnscheck

  19. Sammanfattning • zkt-keyman -c ./dnssec.conf -1 kommun.se. • zkt-signer -c ./dnssec.conf -r -N /etc/bind/named.conf • Läggupp de nyanycklarna via er registrar ochvänta tills .SE publicerat de/dem ~2 timmar • zkt-keyman -c ./dnssec.conf -2 xn--eklv-7qa.se. • Ta bort de gamlanycklarnaochväntapå .SE • zkt-keyman -c dnssec.conf -3 xn--eklv-7qa.se • Klart!

More Related