Radware Alteon Application Manual page 747

Table 63: Automated ZSK Rollover as Defined in RFC 4641
Initial DNSKEY
RRSIG1 (DNSKEY)
RRSIG10 (DNSKEY)
To initiate a ZSK rollover
• Initiate the automatic rollover using the timer.
• To initiate an immediate rollover, set the timer to 0.
Note: Radware does not recommend the initiation of an immediate rollover.
As a result, the following occurs:
1. A new ZSK is created and stored in the key storage location.
2. The system administrator is notified through SNMP, console,, or e-mail that a new ZSK has been
created.
3. The new ZSK is published using DNSKEY.
4. The system administrator is notified through SNMP, console, or e-mail that a new ZSK has been
published to the supporting ISP.
5. A timeout of 12 hours, in addition to the TTL of the original ZSK, starts before enabling the
DNSKEY publication.
6. All zone records are signed with the new ZSK, including all RRSIGs still existing in cache.
7. The old RRSIGs are removed from storage. The old ZSK remains in storage and is publicly
available using DNSKEY.
8. A timeout of 12 hours, in addition to the TTL of the highest signed RRSIG, starts.
9. The old ZSK is revoked and is removed from storage.
Automated KSK Rollover
The expiration period is the period for which the key is valid (for example, one month). The rollover
period is defined in Alteon as the period during which the rollover will be finished before the key
expiration period starts. When entering the value, ensure that it is valid and does not overlap with
the expiration date.
To initiate a KSK rollover
• Initiate the automatic rollover using the timer.
• To initiate an immediate rollover, set the timer to 0.
Note: Radware does not recommend the initiation of an immediate rollover.
Document ID: RDWR-ALOS-V2900_AG1302
Alteon Application Switch Operating System Application Guide
New DNSKEY
RRSIG1 (DNSKEY)
RRSIG10 (DNSKEY)
Global Server Load Balancing
New RRSIGs
RRSIG1 (DNSKEY)
RRSIG11 (DNSKEY)
DNSKEY Removal
RRSIG1 (DNSKEY)
RRSIG11 (DNSKEY)
747