[Opendnssec-develop] Creating keys
Olaf Kolkman
olaf at NLnetLabs.nl
Mon Dec 1 14:40:07 UTC 2008
>>
>> And again, here I can see a many zones using one private key. With
>> that possibility a number of these questions do not pop up. One
>> private key (with many public key instances) that is used for many
>> zones. One single generation, one single backup an al this magic.
>>
>> Not that one priv-key to many zones excludes many-to-many.
>
> If you share keys do you need to coordinate key roll overs? For
> example, what about if you have 10 zones all sharing a key. Can you
> then add an 11th? It will have a different timeline for key
> rollovers. For starters the key publication and ready dates will be
> different, this means that the predicted key retire and dead times
> will be different. I guess you could sync them by retiring the key
> early in zone 11. Does rollover need to be done for all zones at the
> same time?
>
>
Yes, all zones that share the same private key will need to roll at
the same time. For a KSK rollover that is most tricky since you have
to wait until all DS RRs at the parents are replaced, and then wait a
little more, but I do not think that is not doable.
Besides "retiring" the key is AFAIU a concept that applies to the
private key material, so the key-lifetime is a property of the
(private key) and not of a zone.
--Olaf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20081201/35816481/attachment.bin>
More information about the Opendnssec-develop
mailing list