[Opendnssec-develop] Re: [OpenDNSSEC] #157: Desire ManualKeyGeneration per key-type and/or policy
OpenDNSSEC
owner-dnssec-trac at kirei.se
Wed Aug 4 07:15:24 UTC 2010
#157: Desire ManualKeyGeneration per key-type and/or policy
------------------------------------+---------------------------------------
Reporter: robert@… | Owner: sion
Type: enhancement | Status: new
Priority: minor | Component: Enforcer
Version: trunk | Keywords: ManualKeyGeneration
------------------------------------+---------------------------------------
Comment(by rb):
Yes, currently the ManualKeyGeneration can only be set for the system and
not individual zones/policies/key types. Could you describe your use case
a little bit more?
E.g. that you have the .dk zone where you generate keys for ten years, and
then want to sign other zones using the same system. But these zones can
have their keys generated on the fly.
If you forget that you need new keys after 10 years then the
ManualKeyGeneration will stop OpenDNSSEC to automatically generate new
ones for you. The ManualKeyGeneration can be skipped if you make sure to
remember that you need to take some actions after e.g. 9 years.
It would be cleaner to have the ManualKeyGeneration on another level. But
what level would that be? Zone / Policy / Key type / Repository ?
--
Ticket URL: <http://trac.opendnssec.org/ticket/157#comment:1>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list