[Opendnssec-develop] KSK rollover - current plan

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Nov 10 08:31:25 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> > Do you need to use the keytag? Won't the system know which keys we
> > are talking about when using either --zone or --policy?
> >
> > If we must use the keytag, can we handle keytag collisions?
>
> I was thinking that there may be more than one key in the ready state
> for
> any given zone/policy... If there is a keytag collision then I was
> going to
> report back with the cka_ids involved and give the option of either
> one?
>
> Sion

Sounds reasonable.

This means that the user is handling the key and not the zone. The user must thus make sure that it has uploaded the DS records for all of the zones that are sharing this key before giving this command.

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSvkk3eCjgaNTdVjaAQhuwQgAg3nXItJsmrmeDITLGaKIXtW9PGIBgOw+
5F6O5XT6Zbf/hR3fc5ZLbyxxox3x7QrSR1WqcgSmCxKxdGYpTlK3Vs5967/SVYVA
a+d47omUMF6O6cxbj0iLc/p3rInZurGkp9FGtEMpb4xnMKU2X7TbWrUtqVN/yI7I
UXk5gvb/8fz3ChAIqBOxQrqGgsF1bR+SIo2QD4diUeXZcDUyNCN/vvF7gi4HS9Ok
RZ2wGUGo9KyBNCqgruRXlo/aaQzLAc/z9JrffvZcxY6gJRuuZ3zlp6Y6Z2KlX5uN
XvgiO4ahTtLzKxqhlEog1IBdctOYznWXMI8ZIy/KDLZlvOsINDWFQw==
=8DRs
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091110/31f5f2b8/attachment.htm>


More information about the Opendnssec-develop mailing list