[Opendnssec-develop] Creating keys

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Mon Dec 1 14:34:09 UTC 2008

John Dickinson <jad at jadickinson.co.uk> wrote on 01/12/2008 13:50:48:

> If you share keys do you need to coordinate key roll overs? For 
> example, what about if you have 10 zones all sharing a key. Can you 
> then add an 11th? It will have a different timeline for key rollovers. 
> For starters the key publication and ready dates will be different, 
> this means that the predicted key retire and dead times will be 
> different. I guess you could sync them by retiring the key early in 
> zone 11. Does rollover need to be done for all zones at the same time?

I wouldn't see that as an absolute requirement, but it would simplify the 
management software.

Perhaps we should look at the question in a different way: in the case 
where a group of zones share a key, under what circumstances would we 
require that a key be rolled at different times in different zones?


More information about the Opendnssec-develop mailing list