[Opendnssec-develop] Audit key rollovers
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Wed Aug 19 16:25:20 UTC 2009
"Rickard Bondesson" <rickard.bondesson at iis.se> wrote on 19/08/2009
13:33:26:
> > A comment:
> > There are not enough of emergency keys right after an emergancy
> > rollover, since that rollover made one of those active. So should
> > the KA still give a warning about this? A new key will be added on
> > the next run by keygend and communicated.
It should give a warning. The auditor is checking the assertion "number
of emergency keys in file == number of emergency keys in policy" and this
condition violates it.
I think this is one of those cases where knowledge of what has happened is
sufficient to allow a user to disregard the warning. We expect emergency
roll-overs to be rare and (presumably) the documentation will include a
description of what to do should one be required. That documentation
could include a note to the effect that a warning about insufficient
emergency keys will be output until new keys have been in the zone file
for long enough.
And, quite apart from anything else, it simplifies the auditor.
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090819/d82308d7/attachment.htm>
More information about the Opendnssec-develop
mailing list