[Opendnssec-develop] Key rollover date
rickard.bondesson at iis.se
Fri Aug 7 11:10:57 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
> > Then there is also a problem that P1M (one month) does not
> equal the
> > same amount in seconds every month. So you get a shift by this also.
> Nah... if no human interaction/3rd party reliance is there I do not
> think that is a big deal.
So for the ZSK, we can assume that the period is most important rather than the exact date. And that the current solution is working as intended.
> > Olaf, you mentioned something about this. Would repeating
> > from ISO 8601 solve your problems?
> Its probably close...
> So suppose I had an emergency roll in August and I would like to
> configure the system to do the next role in july, how would I
The next question is then: Should the retire date of the KSK that was manually rolled be set to the same value as the previous key?
No, not when you intend to always roll your KSK manually. That would mean that you eventually will come to a time where the key is rolled automatically.
A fast solution would be to remove the <Lifetime> tag for the KSK, so that you always need to roll the KSK manually. Because, as you say, it always involves contact with a third party (which is not standardized).
Or should the <Lifetime> be present in the kasp.xml, but the system only send a reminder to the admin and does not perform the rollover automatically. "It is time to roll the key within two weeks. Issue 'ksmutil rollzone se KSK' when you are ready".
> > How important is this feature?
> I think it is important.
> The reason why I (as early deployer) am nervous about turning on
> opendnssec on my system is that I know I will forget when I
> the KSK and I have no idea on when its going to happen and
> how to make
> sure I get a warning when it does.
For now you have to set the KSK lifetime to a big value and do the rollover manually: "ksmutil rollzone se KSK"
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop