Are you interested in our Early Access Program (EAP)? This program allows you to preview code, test in your lab and provide feedback prior to General Availability (GA) release of all Infoblox products. If so, please click the link here.



DNSSEC - KSK Rollover

[ Edited ]
Posts: 1
826     1



I have a DNSSEC singed zone with the default KSK Rollover period of 1 year. I want to know what happens after 1 year when the rollover period expires naturally.


I understand that a new KSK key pair gets generated and the DNSKEY record set is signed with it and since Double-Sign method is used the old KSK is also valid until the grace period. 


So what is the grace period when the KSK expires naturally? 


If its half the rollover period i.e 182.5 days then do I have this much time to update the registrar with the new DS record? 


Once the new DS record has been updated at the registar I wait for the TTL and then remove the old DS record. Then again wait for the TTL to expire and then remove the old KSK from the zone? Is this the correct way to perform a seamless rollover?


Thank you.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You