[Opendnssec-develop] Creating keys
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Mon Dec 1 14:34:09 UTC 2008
John Dickinson <jad at jadickinson.co.uk> wrote on 01/12/2008 13:50:48:
> If you share keys do you need to coordinate key roll overs? For
> example, what about if you have 10 zones all sharing a key. Can you
> then add an 11th? It will have a different timeline for key rollovers.
> For starters the key publication and ready dates will be different,
> this means that the predicted key retire and dead times will be
> different. I guess you could sync them by retiring the key early in
> zone 11. Does rollover need to be done for all zones at the same time?
I wouldn't see that as an absolute requirement, but it would simplify the
management software.
Perhaps we should look at the question in a different way: in the case
where a group of zones share a key, under what circumstances would we
require that a key be rolled at different times in different zones?
Stephen
More information about the Opendnssec-develop
mailing list