[Opendnssec-develop] Zone moving between operators
jad at jadickinson.co.uk
Mon Mar 23 19:09:46 UTC 2009
On 23 Mar 2009, at 18:54, Matthijs Mekking wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> I had a talk with Antoin Verschuren and have the feeling that moving
> zones between operators is underspecified in the opendnssec project.
> issue was raised earlier by Rick.
> Questions that were raised are:
> * What to do when a zone moves from one operator to another.
Several people have asked me this as well - Off the top of my head, I
don't think we can do anything. There are too many variables. I think
that unless you (as a registrant) are willing to test the interaction
between operators on a regular basis you have to assume that you will
go, or at least will risk going, unsigned at change over.
> * What to do when the HSM is replaced
Just works (I hope). You add a new HSM, update policies to start using
it and new keys will be created in the new HSM.
> * Should we really want to use the same key for multiple zones? It
> have great impact if it became compromised.
Yes that is a risk - if you don't want to risk it don't do it.
> And does KASP has the logic
> if a key for zone A needs to be rollovered, but must be kept for other
No - lets not go there. :)
More information about the Opendnssec-develop