[Opendnssec-develop] Overlapping KSKs
Jakob Schlyter
jakob at kirei.se
Thu Sep 3 09:39:27 UTC 2009
On 3 sep 2009, at 04.30, sion at nominet.org.uk wrote:
> Does this work for .se? Or, do we need some new logic to mark 2 keys
> as
> "active"?
we need to mark 2 keys active concurrently.
> Then we have a question about rollovers. If the rollover is an
> emergency
> one do we have to assume that all keys on that HSM are compromised?
> Do we
> need to think about standby keys (ones on the same hsm, waiting for
> scheduled rollovers) and emergency keys (stored on a separate hsm) as
> separate entities?
in amsterdam we decided that what we currently call "emergency keys"
should be renamed to "standby keys". the reason was that the standby
keys are more used for standby than for actual emergency, IIRC:
jakob
More information about the Opendnssec-develop
mailing list