[Opendnssec-develop] KSK rollover
sion at nominet.org.uk
sion at nominet.org.uk
Wed Dec 9 09:06:10 UTC 2009
> As noted on the user's list, we got some suggestions that we should
> use double signatures for KSK rollover. Because most people would
> like to change the DS records only one time. Do we agree?
>
> Currently we do (something like this):
> ods-ksmutil key rollover --zone example.com --keytype KSK
> - - Publish new key
> ods-ksmutil key ksk-roll
> - - Make new key active. Retire old key.
>
> Suggested solution:
> ods-ksmutil key rollover --zone example.com --keytype KSK
> - - Publish new key. Make new key active (when key is ready).
> ods-ksmutil key ksk-roll
> - - Retire old key.
>
> Should we do this for version 1? Would it be difficult?
So personally I think that we should not be changing behaviour at this
point unless what we are seeing is really broken.
My preference would be to work on the different rolling schemes as a
configuration option in version 1.1.
Sion
More information about the Opendnssec-develop
mailing list