Commit de099379 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

doc: dnssec: mentioned CSK rollovers

parent 505af3b3
......@@ -328,6 +328,11 @@ to the settings (see :ref:`KSK<policy_ksk-lifetime>` and :ref:`ZSK<policy_zsk-li
The algorithm rollover happens when the policy :ref:`algorithm<policy_algorithm>`
field is updated to a different value.
The signing scheme rollover happens when the policy :ref:`singing scheme<policy_single-type-signing>`
field is changed.
It's also possible to change the algorithm and signing scheme in one rollover.
The operator may check the next rollover phase time by watching the next zone signing time,
either in the log or via ``knotc zone-status``. There is no special log for finishing a rollover.
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment