[Opendnssec-develop] Key rollover date

Rickard Bondesson rickard.bondesson at iis.se
Fri Aug 7 11:10:57 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> > Then there is also a problem that P1M (one month) does not 
> equal the 
> > same amount in seconds every month. So you get a shift by this also.
> >
> 
> Nah... if no human interaction/3rd party reliance is there I do not  
> think that is a big deal.

So for the ZSK, we can assume that the period is most important rather than the exact date. And that the current solution is working as intended.

> > Olaf, you mentioned something about this. Would repeating 
> intervals  
> > from ISO 8601 solve your problems? 
> http://en.wikipedia.org/wiki/ISO_8601#Repeating_intervals
> >
> 
> Its probably close...
> 
> So suppose I had an emergency roll in August and I would like to  
> configure the system to do the next role in july, how would I 
> express  
> that?

The next question is then: Should the retire date of the KSK that was manually rolled be set to the same value as the previous key?
No, not when you intend to always roll your KSK manually. That would mean that you eventually will come to a time where the key is rolled automatically.

A fast solution would be to remove the <Lifetime> tag for the KSK, so that you always need to roll the KSK manually. Because, as you say, it always involves contact with a third party (which is not standardized).

Or should the <Lifetime> be present in the kasp.xml, but the system only send a reminder to the admin and does not perform the rollover automatically. "It is time to roll the key within two weeks. Issue 'ksmutil rollzone se KSK' when you are ready".

> > How important is this feature?
> 
> 
> I think it is important.
> 
> The reason why I (as early deployer) am nervous about turning on  
> opendnssec on my system is that I know I will forget when I 
> initiated  
> the KSK and I have no idea on when its going to happen and 
> how to make  
> sure I get a warning when it does.

For now you have to set the KSK lifetime to a big value and do the rollover manually: "ksmutil rollzone se KSK"

// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSnwLweCjgaNTdVjaAQioHwf/X6+epbxwoMbdi9DrJLApjBFtSMEckz+N
Um2bn7oOFEpsbeTspQ0fcNLfdodO2xZQ8IhLX9b/1/RaVImysYEQIeOaS2+MuBD9
BR8LhW0VmRsKYm9cxcTD4a9qXpdV1d60ppUu70uH1mpEuILeT283Hud51IbZw5Tf
cdFcc8RNTX1kUTsrU+MAZN0M69rYgqIVYSbB38rqgXlufoecSpnn8OwJZ+cvRv7t
IN6jGTouNURUAsHbCF8aSnQkzrpEFjTRbnS+QfWBtP45LyszressFnVNSz/+rntF
lyNWvDShtcFepANm2OJLSSFlf3lbsCEOmbtgBE014U19FuSao4nfIg==
=l1HW
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list