[Opendnssec-develop] Zone moving between operators

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Mar 25 16:21:12 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Alright, but I think that in that case we need to consider additional
measurements to deal with zone transfer between operators and emergency
key rollover.

Matthijs

roy at nominet.org.uk schreef:
> Rick van Rein wrote on 03/25/2009 10:01:12 AM:
> 
>> Hi,
>>
>>> However, this is no issue if we decide one key should not span multiple
>>> zones.
>> This should neither be the default, nor should it be forbidden.
>> The administrator should be enabled to choose, based on the capacity
>> of the HSM in use (which may be a small USB key, remember).
>>
>> If you forbid it, you disable that cheap range of PKCS #11 devices.
>>
>> If you make it the default, you would not use the full power of a full
> HSM.
> 
> I agree.
> 
> The software should allow for several schemes, without dictating any
> policy.
> 
> Regards,
> 
> Roy Arends
> Sr. Researcher
> Nominet UK
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBScpZ+A8yVCPsQCW5AQLH5Af+JUlR3CtUCZZj+IwYWSDbVbwYAiQCdC4I
htDrWOwv3pfDAWwmZ5WI7ysnLAV+Aqsjqxmc3BdANfyix9cMkKleBFLWmVbAkebE
YEvy+BUcUt9le3g8WlkCS+0+lYEz+6wbkJ315gOmVXwxdkrsmJlEc0hL90nsRkDb
lHA7i32+kjFspUgSo0xhG0k2dvDcJ43p9y0z2fzmxpn12VT6rEC9mKhOuP9s6sDD
VxGM6lcygZ5eoZR6OHhtUuTZ4uJvSJxw8140Solj6vlcxLw/9K1LUEoUd/yERcfm
1mYRw+uxQ88TZIJW5b2B+zhVwFbDdqlQ0vADSteUnIv3GFRa5sZLWg==
=ALSt
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list