[Opendnssec-develop] Creating keys

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Mon Dec 1 14:43:24 UTC 2008

Stephen.Morris at nominet.org.uk wrote:
> John Dickinson <jad at jadickinson.co.uk> wrote on 01/12/2008 13:50:48:
>> If you share keys do you need to coordinate key roll overs? For 
>> example, what about if you have 10 zones all sharing a key. Can you 
>> then add an 11th? It will have a different timeline for key rollovers. 
>> For starters the key publication and ready dates will be different, 
>> this means that the predicted key retire and dead times will be 
>> different. I guess you could sync them by retiring the key early in 
>> zone 11. Does rollover need to be done for all zones at the same time?
> I wouldn't see that as an absolute requirement, but it would simplify the 
> management software.
> Perhaps we should look at the question in a different way: in the case 
> where a group of zones share a key, under what circumstances would we 
> require that a key be rolled at different times in different zones?

Correct me if I'm wrong, but to me it seems that this is only an issue
when a new zone is added and it is only an issue for the first rollover
for that zone. I think it would make sense to have all zones that share
a key roll over simultaneously, so if a new zone is added for a key,
this zone would most likely get a key rollover earlier than would
normally be the policy but only for the first key rollover, after that
first rollover it is in sync with the rest of the zones sharing the keys.

In my opinion, it would not be wise to have zones that share a key roll
over at different times. The only disadvantage I can see here is that in
this model you might have to sign a lot of zones at the same time when a
key rollover is about to take place and you run the risk of all zone
resigns remaining in sync if the same signing policy is used for all
zones that share a key thus creating peaks in signing activity.




-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list