[Opendnssec-develop] Audit key rollovers
sion at nominet.org.uk
sion at nominet.org.uk
Wed Aug 19 12:33:26 UTC 2009
> 3.6 Key rollover Checks
>
> For each signed zone chosen for verification, the KA should:
>
> 1. Keep a record of what keys have been used in the zone, from
> the KA point-of-view.
> a. When it was pre-published (added to the zone).
> b. When it was made active.
> c. When it was retired
> d. When it was made dead (removed from the zone).
> e. The information about the key may be dropped once the
> key is dead.
> 2. Give a warning if the KSK is active longer than the period
> specified in the KASP.
> 3. Give a warning if the ZSK is active longer than the period
> specified in the KASP.
> 4. Give a warning if the number of pre-published KSK:s are less
> than the number of emergency KSK:s specified in the KASP.
> 5. Give a warning if the number of pre-published ZSK:s are less
> than the number of emergency ZSK:s specified in the KASP.
>
> ***********************
>
> A comment:
> There are not enough of emergency keys right after an emergancy
> rollover, since that rollover made one of those active. So should
> the KA still give a warning about this? A new key will be added on
> the next run by keygend and communicated.
another comment:
The timings for 2 and 3 will need to be "lifetime from kasp + run interval
of communicated" to avoid false warnings.
It could give a warning if the number of emergency keys is 0, this might
indicate that emergency keys should be increased in the policy?
Sion
More information about the Opendnssec-develop
mailing list