<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Exchange Server">
<!-- converted from rtf -->
<style><!-- .EmailQuote { margin-left: 1pt; padding-left: 4pt; border-left: #800000 2px solid; } --></style>
</head>
<body>
<font face="Arial" size="2">
<div>-----BEGIN PGP SIGNED MESSAGE-----</div>
<div>Hash: SHA256</div>
<div> </div>
<div>> 1) Key reaches retirement, and the system starts prompting (via syslog)</div>
<div>> for</div>
<div>> the DS record of the new key to be submitted.</div>
<div>> 2) When the DS is submitted and seen in the DNS the rollover happens in</div>
<div>> response to the "ds-seen" command.</div>
<div> </div>
<div>What I saw was that you could not do this on a standby key without forcing a rollover. But maybe this was not a requirement.</div>
<div> </div>
<div>> The alternative is that:</div>
<div>> </div>
<div>> 1) The user issues the ds-seen command at any time, on any key. This</div>
<div>> marks</div>
<div>> the key as having been "seen".</div>
<div>> 2) When the current key reaches retirement, provided that there is a</div>
<div>> key in</div>
<div>> the ready state that has been marked as "seen", then the rollover will</div>
<div>> continue automatically.</div>
<div> </div>
<div>Remembering the discussion about having a tool which synchronizes DS records in the parent with the KSK key set. This scheme would be a good interface for such a tool.</div>
<div> </div>
<div>> This second scheme requires maybe one days work to write and test a</div>
<div>> bit. So</div>
<div>> my question is which scheme do people prefer?</div>
<div> </div>
<div>I would prefer the second scheme, but as you say, it require some more changes to the code.</div>
<div> </div>
<div>> What we could do is rename the current command as "ksk-roll" which is a</div>
<div>> more accurate description of what it does, and add the alternate scheme</div>
<div>> for</div>
<div>> v1.1. This way you can work with either scheme.</div>
<div> </div>
<div>Just so it is clear for the user on how to do a KSK rollover (if we are going to keep the first schema). E.g.</div>
<div> </div>
<div>ods-ksmutil key rollover --zone example.com --keytype KSK</div>
<div>(upload new DS to parent)</div>
<div>ods-ksmutil key ksk-roll --zone example.com --keytag 12345</div>
<div> </div>
<div>Just to remember: The key rollovers are something that OpenDNSSEC should be good at. Maybe so important that it must be solved before v1.0.</div>
<div> </div>
<div>// Rickard</div>
<div> </div>
<div>-----BEGIN PGP SIGNATURE-----</div>
<div>Version: 9.8.3 (Build 4028)</div>
<div>Charset: utf-8</div>
<div> </div>
<div>wsBVAwUBSwusQeCjgaNTdVjaAQiq1wf/QKCkp6Dlw9eaBShWs6m0YboXarcnhNJx</div>
<div>wX2tE/qOc458bSiUnhhC7Av1TnVnxcxaylUgI4boS26TewSafp4uAVte9K/82fwq</div>
<div>Sp5Uevwj/7VhbwbqyM5ttJXdVsoNZ7wfSA+pRwCN7f12eCGqxxu89MIlzNH2jkB/</div>
<div>61/Z7tC8BNgdedUYj4t0bbcMVI73MqaNCm2XGV2OhbviG2EJQYZRdDzjjAYJw5bc</div>
<div>0g9MN+31g7cv6nEf5oOQxs3VyBpa3Pm7LpPO1nWsHJ+EMgnvxnybJV9ae/3T1k3e</div>
<div>7czBF+o9fnDQzSJ2HJqk8sn62QpXnZdug7MdHTv8mIfMce3tcnYCzg==</div>
<div>=quPj</div>
<div>-----END PGP SIGNATURE-----</div>
<div> </div>
<div> </div>
</font>
</body>
</html>