[Opendnssec-develop] Audit key rollovers
Rickard Bondesson
rickard.bondesson at iis.se
Wed Aug 19 11:03:02 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hi
I have a suggestion for some additional requirements for the auditor. Do you have any additional requirements?
***********************
3.6 Key rollover Checks
For each signed zone chosen for verification, the KA should:
1. Keep a record of what keys have been used in the zone, from the KA point-of-view.
a. When it was pre-published (added to the zone).
b. When it was made active.
c. When it was retired
d. When it was made dead (removed from the zone).
e. The information about the key may be dropped once the key is dead.
2. Give a warning if the KSK is active longer than the period specified in the KASP.
3. Give a warning if the ZSK is active longer than the period specified in the KASP.
4. Give a warning if the number of pre-published KSK:s are less than the number of emergency KSK:s specified in the KASP.
5. Give a warning if the number of pre-published ZSK:s are less than the number of emergency ZSK:s specified in the KASP.
***********************
A comment:
There are not enough of emergency keys right after an emergancy rollover, since that rollover made one of those active. So should the KA still give a warning about this? A new key will be added on the next run by keygend and communicated.
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSovb5uCjgaNTdVjaAQijxgf/dUMHyxmlbX/vWiuqBL/IFG3KHH/6u4xC
wvt764o3gZnnqXaCThLlBpmRhJq7zUdSmb99Q4whsSAwaZqHgCjocHxCdqhoGmSD
KdgUTllzXZEI7QjCUGlceVIpdAZNyyPXd1gGWwXargNRFsSqivBQlC7J1A8OOGEY
iO2ZDZESveb6DwSNxRD4I+rtk+kzF7XmIJgSIO6m2kkqaCUsqFiAd4Wf5ko4dd52
z259iYnKGtZ+16z20Dt4jjYSdlN3CIiPpUrbnp75qyr+GbLhfUufjPkjz5dfEVvT
tEHWy131/FgiY5KkxgNiYhHIoymLx3pf2Sd+uU3R4vhKmeY56Ocs4g==
=lvpn
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list