[Opendnssec-develop] Deactivating old KSK

Sion.Lloyd at nominet.org.uk Sion.Lloyd at nominet.org.uk
Mon Nov 2 13:03:37 CET 2009


> Am I correct if I say that old KSK are currently automatically
> deactivated in accordance with the rollover algorithm?
>
> It should only be deactivated once the user has had the chance to
> publish the new DS to its parent. Shouldn't the rollover process be
> a two-step rocket?
>
> First make a new key active.
>
> And then deactivate the old key on the command by the user (or any
> script running on the machine) when the new DS is published.

There are 3 strategies for ksk rollover described in
draft-morris-dnsop-dnssec-key-timing-01 (
http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01#section-4.3)
.

Should it be a configurable option as to which one the user wants?

Sion




More information about the Opendnssec-develop mailing list