[Opendnssec-develop] Deactivating old KSK

sion at nominet.org.uk sion at nominet.org.uk
Thu Nov 5 07:24:40 UTC 2009

> I think we also need a policy version for those with many zones.
> What will happen if you roll the key and there is no ready-key? The
> user takes the prepublished key and add this as a ds. Gives the ds
> command before the new key is ready.
> Will it still work? Just so that the algorithm works as intended. And
> that we retire the old key when we should do it and not prematurely.

Should we allow them to "remove" the ds record of an active key? If we are
asked to retire a key and there is no ready key to take over what we do now
is set the retire time to be now, but it will not actually move until there
is a key in the ready state.

So we could make the dead time equal to the ready time of the replacement
key + max(...) + safety? Or we could throw an error.

If "ds remove" is called on a zone with no retired key should I take that
as an instruction to roll the key?

More information about the Opendnssec-develop mailing list