7. Operational instructions

7.1. Publishing a DS
7.2. ZSK rollover
7.3. KSK rollover
7.4. Going insecure
7.5. NSEC(3) change

In this chapter various DNSSEC transitions are discussed, and how to execute them within PowerDNSSEC.

7.1. Publishing a DS

To publish a DS to a parent zone, utilize 'pdnssec show-zone' and take the DS from its output, and transfer it securely to your parent zone.

7.2. ZSK rollover

.. pdnssec activate-zone-key ZONE next-key-id .. .. pdnssec deactivate-zone-key ZONE prev-key-id .. .. pdnssec remove-zone-key ZONE prev-key-id ..

7.3. KSK rollover

.. pdnssec add-zone-key ZONE ksk .. .. pdnssec show-zone ZONE and communicate duplicate DS .. .. pdnssec activate-zone-key ZONE next-key-id .. .. pdnssec deactivate-zone-key ZONE prev-key-id .. .. pdnssec remove-zone-key ZONE prev-key-id ..

7.4. Going insecure

.. pdnssec disable-dnssec ..

7.5. NSEC(3) change

This section describes how to change NSEC(3) parameters when they are already set.

[Warning]Warning

The following instructions might not be correct or complete!

.. pdnssec set-nsec3 ZONE 'parameters' .. pdnssec show-zone ZONE and communicate duplicate DS ..

For further details, please see Section 5, “'pdnssec' for PowerDNSSEC command & control”.