rickard.bellgrim at iis.se
Wed Dec 8 15:38:46 UTC 2010
On 8 dec 2010, at 10.16, Sion Lloyd wrote:
>> So the --no-retire will only delay the current rollover until the
>> ksk-retire is given. And since we can only have one flow of keys within
>> the zone, then we know that the new key is what we are going to rollover
> If the user doesn't issue the ksk-retire command, either because they forget
> or because they don't want to, then they could just accumulate keys... again I
> am not saying that this is a good idea, just that it is possible.
> Should we disable this option if it is not compatible with our rollover
The rollover procedures are still quite a mess. Could you perhaps propose how we should do this in a clean way, so that the DelegationSignerSubmitCommand also function as intended?
More information about the Opendnssec-develop