[Opendnssec-develop] Zone moving between operators
Rick van Rein
rick at openfortress.nl
Fri Mar 27 08:45:46 UTC 2009
Hello Antion,
> My worry is that in rollovers, the keys must move to the parent.
> Processing a giant amount of EPP messages (one per delegation) might be troublesome at a registry.
There's a few reasons why I don't share your feeling of caution.
1. People who only use a single key to sign zones, that is, those using
an USB stick instead of an HSM will be small-sized. Why? Because:
2. Although a parent should not dictate that all domains use different
keys, it can indicate that a lot of changes will take more time.
I think it is reasonable, and will force individual children to
behave rationally with their dependency on the parent's resources.
3. If you would really want to support a large-scale emergency rollover,
you would be better off if all the keys are equal; given a proper
interface for it you could issue a single SQL UPDATE statement.
Hope this helps,
-Rick
More information about the Opendnssec-develop
mailing list