[Opendnssec-develop] DelegationSignerSubmitCommand

Sion Lloyd sion at nominet.org.uk
Wed Dec 8 16:14:03 UTC 2010

> The rollover procedures are still quite a mess. Could you perhaps propose
> how we should do this in a clean way, so that the
> DelegationSignerSubmitCommand also function as intended?

The only way I can think to make this clean is to force a pure rollover scheme 
on the user... This would mean disabling the no-retire flag and having the 
dssub command only send the new key.

Is this too draconian and restrictive though? Keep in mind that this might be 
the only KSK rollover scheme available for the next two releases...

Is it too late in the release to introduce a new flag or rollover option 
"strict" which forces this behaviour? (I think so, but will work on this if we 
think it is really needed.)

We could document the current situation and fix this either after the release 
in 1.2 or for 1.3 (which I believe will not have the new enforcer code)?


More information about the Opendnssec-develop mailing list