[Opendnssec-develop] Deactivating old KSK
Sion.Lloyd at nominet.org.uk
Sion.Lloyd at nominet.org.uk
Mon Nov 2 12:03:37 UTC 2009
> Am I correct if I say that old KSK are currently automatically
> deactivated in accordance with the rollover algorithm?
>
> It should only be deactivated once the user has had the chance to
> publish the new DS to its parent. Shouldn't the rollover process be
> a two-step rocket?
>
> First make a new key active.
>
> And then deactivate the old key on the command by the user (or any
> script running on the machine) when the new DS is published.
There are 3 strategies for ksk rollover described in
draft-morris-dnsop-dnssec-key-timing-01 (
http://tools.ietf.org/html/draft-morris-dnsop-dnssec-key-timing-01#section-4.3)
.
Should it be a configurable option as to which one the user wants?
Sion
More information about the Opendnssec-develop
mailing list