[Opendnssec-develop] getting information from the system

sion at nominet.org.uk sion at nominet.org.uk
Mon Aug 10 09:25:14 UTC 2009

> > What about lifetime == infinite (while I am thinking about
> > it); for people who only want emergency rollovers.
> >
> > Is this required for v1.0?
> Or how about having a lifetime for the KSK, but the rollovers are
> not happening automaticly within libksm. The KSK rollovers can only
> happen when you issue the command. The KSK lifetime in the policy is
> then an indication on how often the operator should issue the KSK-
> roll-command.
> The KSK lifetime is then used by the auditor to notify the operator
> that it should now (within two weeks, one week, 3 days, or 1 day)
> issue the KSK-roll-command to be able to follow the given policy.

So a flag in the policy "Automatic Rollovers" yes/no. That sounds like a
good idea.

With the warnings, what we have agreed in the past is that we will write a
particular message to the log which some other process will pick up to
issue the notification. We will though need some idea about how far in
advance these should be sent, something else to add to the policy. Unless
anyone objects I will write these messages whether automatic rollovers
is/are turned on or not, possibly with some extra text based on this

It seems to me that both of these policy items should be in the KSK/ZSK
sections so that they could be different for each.


More information about the Opendnssec-develop mailing list