[Opendnssec-develop] DelegationSignerSubmitCommand
Sion Lloyd
sion at nominet.org.uk
Wed Dec 8 16:14:03 UTC 2010
> The rollover procedures are still quite a mess. Could you perhaps propose
> how we should do this in a clean way, so that the
> DelegationSignerSubmitCommand also function as intended?
>
The only way I can think to make this clean is to force a pure rollover scheme
on the user... This would mean disabling the no-retire flag and having the
dssub command only send the new key.
Is this too draconian and restrictive though? Keep in mind that this might be
the only KSK rollover scheme available for the next two releases...
Is it too late in the release to introduce a new flag or rollover option
"strict" which forces this behaviour? (I think so, but will work on this if we
think it is really needed.)
We could document the current situation and fix this either after the release
in 1.2 or for 1.3 (which I believe will not have the new enforcer code)?
Sion
More information about the Opendnssec-develop
mailing list