[Opendnssec-develop] Creating keys

Olaf Kolkman olaf at NLnetLabs.nl
Mon Dec 1 14:40:07 UTC 2008

>> And again, here I can see a many zones using one private key. With  
>> that possibility a number of these questions do not pop up. One  
>> private key (with many public key instances) that is used for many  
>> zones. One single generation, one single backup an al this magic.
>> Not that one priv-key to many zones excludes many-to-many.
> If you share keys do you need to coordinate key roll overs? For  
> example, what about if you have 10 zones all sharing a key. Can you  
> then add an 11th? It will have a different timeline for key  
> rollovers. For starters the key publication and ready dates will be  
> different, this means that the predicted key retire and dead times  
> will be different. I guess you could sync them by retiring the key  
> early in zone 11. Does rollover need to be done for all zones at the  
> same time?

Yes, all zones that share the same private key will need to roll at  
the same time. For a KSK rollover that is most tricky since you have  
to wait until all DS RRs at the parents are replaced, and then wait a  
little more, but I do not think that is not doable.

Besides "retiring" the key is AFAIU a concept that applies to the  
private key material, so the key-lifetime is a property of the  
(private key) and not of a zone.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081201/35816481/attachment.bin>

More information about the Opendnssec-develop mailing list