[Opendnssec-develop] Deactivating old KSK
sion at nominet.org.uk
sion at nominet.org.uk
Thu Nov 5 06:03:53 UTC 2009
> So we are missing step c (and the large value part of b) in
> OpenDNSSEC. Which I think we need before v1.0.
So this is what I am going to do:
1) Change the default time that a KSK is in the retire state to INT_MAX - 1
2) Create an ods-ksmutil command ("ds removed --zone <zone>"? do we need a
--policy version?)
this will set the dead time to:
"now" + max(TTL of record in parent zone + estimate of propagation delay
through parent zone, TTL of record in this zone + estimate of propagation
delay through this zone) + safety margin
Note that all of these variables are already part of the kasp.xml.
I'm assuming that if a key is rolled manually then "ods-ksmutil ds removed"
will still be called at some point.
If anything here surprises you, or if you think that I have left anything
out then please let me know.
Sion
More information about the Opendnssec-develop
mailing list