[Opendnssec-develop] Audit key rollovers

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Wed Aug 19 16:25:20 UTC 2009

"Rickard Bondesson" <rickard.bondesson at iis.se>  wrote on 19/08/2009 

> > A comment:
> > There are not enough of emergency keys right after an emergancy
> > rollover, since that rollover made one of those active. So should
> > the KA still give a warning about this? A new key will be added on
> > the next run by keygend and communicated.

It should give a warning.  The auditor is checking the assertion "number 
of emergency keys in file == number of emergency keys in policy" and this 
condition violates it.

I think this is one of those cases where knowledge of what has happened is 
sufficient to allow a user to disregard the warning.  We expect emergency 
roll-overs to be rare and (presumably) the documentation will include a 
description of what to do should one be required.  That documentation 
could include a note to the effect that a warning about insufficient 
emergency keys will be output until new keys have been in the zone file 
for long enough.

And, quite apart from anything else, it simplifies the auditor.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090819/d82308d7/attachment.htm>

More information about the Opendnssec-develop mailing list