[Opendnssec-develop] Deactivating old KSK
Rickard Bellgrim
rickard.bellgrim at iis.se
Mon Nov 2 11:11:04 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi
Am I correct if I say that old KSK are currently automatically deactivated in accordance with the rollover algorithm?
It should only be deactivated once the user has had the chance to publish the new DS to its parent. Shouldn't the rollover process be a two-step rocket?
First make a new key active.
And then deactivate the old key on the command by the user (or any script running on the machine) when the new DS is published.
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSu6+SOCjgaNTdVjaAQgeSQf+MGLbbmOPo1FsQPRJFVrEIIXDWmaoe0Kz
Be/yDPb9dogQzsQB+Ovs8GjShqDrvpXp06R0oN1LYE/q4cbRhBLIjDjCrFmAN5m5
aqwp148qY45r2+96I4NFFHoJ+mCBcws/+FzyxOt5+tZ+z3bwfGAPZlwkAduJOzja
bgUBQqhYTAeNchHUk15B0Z3/Y5C1MOVBKge7iam1CWiIxaHIUm0Wo7Z7Gio8NKxy
ro1kdGAC4aR9zlMpHbwiu0R0vyegYYXTxm0uS9vUf65AedOg6flByOK+AzQIlEUu
iwUWl0qUITYs0mux0/lMr05GtB9j2yW0LDTu216vKfvOYZ6h2Kym+g==
=yiVo
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091102/76bebfe0/attachment.htm>
More information about the Opendnssec-develop
mailing list