Navigation Menu

Skip to content

Instantly share code, notes, and snippets.

@bortzmeyer

bortzmeyer/rollover.md

Created March 22, 2019 12:26
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save bortzmeyer/9936dde75fa0a0b9034796c41fb93d2c to your computer and use it in GitHub Desktop.
Save bortzmeyer/9936dde75fa0a0b9034796c41fb93d2c to your computer and use it in GitHub Desktop.
Download ZIP
Last step of the DNSSEC key rollover at the root
Raw
rollover.md

The former KSK is still there

% dig @a.root-servers.net  DNSKEY .

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @a.root-servers.net DNSKEY .
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25705
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;.			IN DNSKEY

;; ANSWER SECTION:
.			168242 IN DNSKEY 385 3 8 (
				AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQ
				bSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh
				/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWA
				JQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXp
				oY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3
				LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGO
				Yl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGc
				LmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0=
				) ; revoked KSK; alg = RSASHA256 ; key id = 19164
.			168242 IN DNSKEY 256 3 8 (
				AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfs
				PBT+whyj0/UhD7cWeixV9Wqzj/cnqs8iWELqhdzGX41Z
				taNQUfWNfOriASnWmX2D9m/EunplHu8nMSlDnDcT7+ll
				E9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG39dyAb7t
				z21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qA
				QT1Mgwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY
				6b1LTg34/YfHdiIIZQqAfqbieruCGHRiSscC2ZE7iNre
				L/76f4JyIEUNkt6bQA29JsegxorLzQkpF7NKqZc=
				) ; ZSK; alg = RSASHA256 ; key id = 16749
.			168242 IN DNSKEY 257 3 8 (
				AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
				iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
				7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
				LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
				efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
				pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
				A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
				9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
				) ; KSK; alg = RSASHA256 ; key id = 20326
.			168242 IN RRSIG	DNSKEY 8 0 172800 (
				20190402000000 20190312000000 19164 .
				Nsqc9FdurKoopW8LBqJ3meWY2eOl162PzphTelIEpA6t
				uK6MitZL22bb8kYjZUxcQmV3tY0GZzA8Z9xpUIaRUZAQ
				zgwFlSx8crGVRanL0lAsPhu7wj8P+TSa1bOIUZFqPheE
				asLhyX+02EORskJ3XhtZNB/sddtkFnyKwmj5h8w2btqs
				Gurpgvga8yflFUPIMMAaQYtewhmW8AcQ5R9uOIMWimwr
				LaB+9WA+yLqzRao6Wl7YqY4fRk/hFCW3V9pDJdakNPYP
				lt65hFkxkBTYean3V7QIrBg/EegCWnMd3B6xZJCuKcEh
				RxpJTUmkjYiGShBqNNH9PvLwy27U1YpnJA== )
.			168242 IN RRSIG	DNSKEY 8 0 172800 (
				20190402000000 20190312000000 20326 .
				A76nZ8WVsD+pLAKJh9ujKxxRDWfJf8SxayOkq3Gq9TX4
				BStpQM1e/KuX8am4FrVRCGQvLlhiYFNqm+PtevGGJAO0
				lTFLSiIuavknlkSiI3HMkrMDqSV+YlIQPk1C720khNpW
				y70WjjNvkq4sBU1GTkVPeFkM3gQI53pCHW+VobCPXZz7
				0J+PnSOq7SmjrwXgU8E9iSXkI3yfhGIup2c54Sf9w0Bw
				10opvxXMT+1ALgWY1TnV1/gRixIUZp1K86iR8VeX9K/4
				UTqEa5bYux+aeIcQ2/4Qqyo3Ocb2RrbUvDNzU2lB4b1r
				/oHqsd6C0SiGmdo0A8R44djKMHVaD/JmLg== )

;; Query time: 3 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Mar 22 12:26:17 UTC 2019
;; MSG SIZE  rcvd: 1425
@bortzmeyer
Copy link
Author

This was zone #2019032101.

@bortzmeyer
Copy link
Author

And with zone #2019032201:

% dig @a.root-servers.net  DNSKEY .

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @a.root-servers.net DNSKEY .
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1031
;; flags: qr aa rd; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;.			IN DNSKEY

;; ANSWER SECTION:
.			172800 IN DNSKEY 256 3 8 (
				AwEAAcH+axCdUOsTc9o+jmyVq5rsGTh1EcatSumPqEfs
				PBT+whyj0/UhD7cWeixV9Wqzj/cnqs8iWELqhdzGX41Z
				taNQUfWNfOriASnWmX2D9m/EunplHu8nMSlDnDcT7+ll
				E9tjk5HI1Sr7d9N16ZTIrbVALf65VB2ABbBG39dyAb7t
				z21PICJbSp2cd77UF7NFqEVkqohl/LkDw+7Apalmp0qA
				QT1Mgwi2cVxZMKUiciA6EqS+KNajf0A6olO2oEhZnGGY
				6b1LTg34/YfHdiIIZQqAfqbieruCGHRiSscC2ZE7iNre
				L/76f4JyIEUNkt6bQA29JsegxorLzQkpF7NKqZc=
				) ; ZSK; alg = RSASHA256 ; key id = 16749
.			172800 IN DNSKEY 256 3 8 (
				AwEAAeVDC34GZILwsQJy97K2Fst4P3XYZrXLyrkausYz
				SqEjSUulgh+iLgHg0y7FIF890+sIjXsk7KLJUmCOWfYW
				PorNKEOKLk5Zx/4M6D3IHZE3O3m/Eahrc28qQzmTLxiM
				ZAW65MvR2UO3LxVtYOPBEBiDgAQD47x2JLsJYtavCzNL
				5WiUk59OgvHmDqmcC7VXYBhK8V8Tic089XJgExGeplKW
				Ut9yyc31ra1swJX51XsOaQz17+vyLVH8AZP26KvKFiZe
				oRbaq6vl+hc8HQnI2ug5rA2zoz3MsSQBvP1f/HvqsWxL
				qwXXKyDD1QM639U+XzVB8CYigyscRP22QCnwKIU=
				) ; ZSK; alg = RSASHA256 ; key id = 25266
.			172800 IN DNSKEY 257 3 8 (
				AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTO
				iW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN
				7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5
				LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8
				efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7
				pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLY
				A4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws
				9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU=
				) ; KSK; alg = RSASHA256 ; key id = 20326
.			172800 IN RRSIG	DNSKEY 8 0 172800 (
				20190412000000 20190322000000 20326 .
				BI3MM0d7oqfNX6Tqgw5NwCZ2DfKtQXDHWE7VdIJK3HCm
				skguJQH8WDyRaR6leI5aprwtQyylYze2FPtP8qWLSVSR
				MUPIEF4Sdw5y2KonV4zi5S22xMeu43Cgk+yFrCTkzi6I
				fCMlFf6dehwAFCYJZvYQkT2twhZXVkPjuLB+VQlmvmpz
				fTFN3VcaDvvNJ6CSVCVbNKpRmPnUgscLEjWC0HydBlUS
				OhZSQEetIKnm/HN+biN9VptVyEwiKY/mzvuMcEPu/3+j
				/a3hgOlg2TVzI0NEadZy8zeXPHleDKgLA32NChTuWgIy
				e+8HwftIwUOJQPczEqdgFSIZ5Ak0YdD3uw== )

;; Query time: 32 msec
;; SERVER: 198.41.0.4#53(198.41.0.4)
;; WHEN: Fri Mar 22 18:21:30 UTC 2019
;; MSG SIZE  rcvd: 1139

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment