[Opendnssec-develop] Key rollover date

Olaf Kolkman olaf at NLnetLabs.nl
Fri Aug 7 10:15:49 UTC 2009


On 7 aug 2009, at 12:01, Rickard Bondesson wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hi
>
> Is there a problem if the key rollover date is not fixed in time?
>
> E.g: My system does automatic rollover in March every year. In  
> August I perform an emergency rollover, but now will my system  
> perform the automatic rollover in August every year.
>

I can imagine many managerial/operational reasons why you would like  
to determine the time during which a key-rollover takes place.

e.g:
- You want to roll the key shortly before or after billing
- You want to make sure your key staff is not on vacation or on a  
conference

In other words a KSK rollover is an event one would like to plan.  
Since there are interactions with humans/3rd parties I also would like  
to get a warning (either by polling the system on when I may expect  
the next KSK roll, or by a hook that sends me mail or another push)


> This is because each key is valid for one year in this case, and the  
> emergency rollover shifted the usual rollover date. Are there some  
> use cases where you want to roll the key at a specific date and  
> time. E.g. I want to roll my ZSK:s on the first of each months.
>

For the ZSK I think being able to specify the date exactly is less of  
an issue, as ZSK rolls should not involve any human interaction.

> Then there is also a problem that P1M (one month) does not equal the  
> same amount in seconds every month. So you get a shift by this also.
>

Nah... if no human interaction/3rd party reliance is there I do not  
think that is a big deal.


> Olaf, you mentioned something about this. Would repeating intervals  
> from ISO 8601 solve your problems? http://en.wikipedia.org/wiki/ISO_8601#Repeating_intervals
>

Its probably close...

So suppose I had an emergency roll in August and I would like to  
configure the system to do the next role in july, how would I express  
that?


> How important is this feature?


I think it is important.

The reason why I (as early deployer) am nervous about turning on  
opendnssec on my system is that I know I will forget when I initiated  
the KSK and I have no idea on when its going to happen and how to make  
sure I get a warning when it does.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 235 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090807/cb19fd7c/attachment.bin>


More information about the Opendnssec-develop mailing list