[Opendnssec-develop] Audit key rollovers
rickard.bondesson at iis.se
Wed Aug 19 11:03:02 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
I have a suggestion for some additional requirements for the auditor. Do you have any additional requirements?
3.6 Key rollover Checks
For each signed zone chosen for verification, the KA should:
1. Keep a record of what keys have been used in the zone, from the KA point-of-view.
a. When it was pre-published (added to the zone).
b. When it was made active.
c. When it was retired
d. When it was made dead (removed from the zone).
e. The information about the key may be dropped once the key is dead.
2. Give a warning if the KSK is active longer than the period specified in the KASP.
3. Give a warning if the ZSK is active longer than the period specified in the KASP.
4. Give a warning if the number of pre-published KSK:s are less than the number of emergency KSK:s specified in the KASP.
5. Give a warning if the number of pre-published ZSK:s are less than the number of emergency ZSK:s specified in the KASP.
There are not enough of emergency keys right after an emergancy rollover, since that rollover made one of those active. So should the KA still give a warning about this? A new key will be added on the next run by keygend and communicated.
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop