[Opendnssec-develop] Zone moving between operators

John Dickinson jad at jadickinson.co.uk
Mon Mar 23 19:09:46 UTC 2009

On 23 Mar 2009, at 18:54, Matthijs Mekking wrote:

> Hash: SHA1
> Hi,
> I had a talk with Antoin Verschuren and have the feeling that moving
> zones between operators is underspecified in the opendnssec project.  
> The
> issue was raised earlier by Rick.
> Questions that were raised are:
> * What to do when a zone moves from one operator to another.

Several people have asked me this as well - Off the top of my head, I  
don't think we can do anything. There are too many variables. I think  
that unless you (as a registrant) are willing to test the interaction  
between operators on a regular basis you have to assume that you will  
go, or at least will risk going, unsigned at change over.

> * What to do when the HSM is replaced

Just works (I hope). You add a new HSM, update policies to start using  
it and new keys will be created in the new HSM.

> * Should we really want to use the same key for multiple zones? It  
> could
> have great impact if it became compromised.

Yes that is a risk - if you don't want to risk it don't do it.

> And does KASP has the logic
> if a key for zone A needs to be rollovered, but must be kept for other
> zones.

No - lets not go there. :)

John Dickinson

More information about the Opendnssec-develop mailing list