[Opendnssec-develop] KSK Rollovers
Jakob Schlyter
jakob at kirei.se
Thu Jul 2 18:26:27 UTC 2009
On 2 jul 2009, at 13.39, Stephen.Morris at nominet.org.uk wrote:
> a) Does KASP warn about a rollover?
I believe we should warn via syslog.
> b) Does KASP notify the user when a KSK rollover is happening?
I believe we should warn via syslog here as well.
> And does it identify the DS record(s) that should be added to the
> parent zone?
it might be nice to log the keytag of the new KSK(s).
> c) Does the signer create the DS record in a way that it can be
> easily found?
at the last meeting in Amsterdam we decided that the signer should not
save the DS records in any file - the user can use drill or similar to
get data needed to send to the parent.
> d) Does KASP notify the user when a DS record should be removed from
> the parent zone? And how does it identify the key to be removed?
as soon as the new KSK gone active and all signatures been
regenerated, it could log this as well?
>
> In the longer term, do we also want to add the ability for
> OpenDNSSEC to check whether a DS record of a KSK is in the parent
> zone before we actually start signing the zone with the new key (as
> suggest in the KSK rollover algorithm in the key timing draft?) At
> present, I believe the assumption is that the DS record will appear
> in the parent zone within some (configurable) interval of it be
> available to the operator.
right.
jakob
More information about the Opendnssec-develop
mailing list