[Opendnssec-develop] getting information from the system

sion at nominet.org.uk sion at nominet.org.uk
Mon Aug 10 13:00:55 UTC 2009

> > - What we are talking about here is semi-automatic key
> > rollovers, so things like generating and pre-publishing a key
> > (where applicable) is done automatically?
> Yeah, I do not see any problem of always automatically generating
> the key and pre-publishing the key.
> But you only make the KSK active on the command by the operator.
> There are no default automatic publication of the KSK, so the
> rollover should never happen automatically now, right?

Yes, so long as all of the other settings in the policy are reasonable then
the rest of the timings should work as they do currently. All we are
talking about (I hope) is setting/ignoring the retire time of the key in
question. (Setting to a particular point in time, ignoring if rollovers are
turned off so all that happens is the warning messages.)

Other things will still work, e.g. rollover will be held up if there are no
suitable published keys to take over.

The worries I have are things like "what do we do if someone switches a
policy from one type to another".

> > - Do we also want to support manual key rollovers and key
> > management?
> > (and if so, why?)
> We never want manual key management once in operation, only when you
> want to add keys from a previous system. We do want the possibility
> for manual key rollover, e.g. emergency rollover or planned rollover
> (but faster than the policy is saying).

So is it unreasonable to think that someone may want to use ksm only to
help decide when it is safe to use a newly generated key and keep track of
what keys they have?

I'm not suggesting implementing this sort of thing in the near future, but
if we say "never" then I'd like to be sure that we mean it.


More information about the Opendnssec-develop mailing list