[Opendnssec-develop] DelegationSignerSubmitCommand

Sion Lloyd sion at nominet.org.uk
Tue Dec 14 10:32:06 UTC 2010

On Tuesday 14 Dec 2010 8:55:19 am Rickard Bellgrim wrote:
> On 9 dec 2010, at 11.15, Rickard Bellgrim wrote:
> >>> The rollover procedures are still quite a mess. Could you perhaps
> >>> propose how we should do this in a clean way, so that the
> >>> DelegationSignerSubmitCommand also function as intended?
> >> 
> >> The only way I can think to make this clean is to force a pure rollover
> >> scheme on the user... This would mean disabling the no-retire flag and
> >> having the dssub command only send the new key.
> >> 
> >> Is this too draconian and restrictive though? Keep in mind that this
> >> might be the only KSK rollover scheme available for the next two
> >> releases...
> > 
> > What do you Jakob say about this?
> After some discussion with Jakob...
> Maybe it is too late to disable the no-retire flag, but we can add it to
> known issues that it will break DNSSEC.
> Then make sure that the DSSC will send the correct set of keys.

Okay. So only the new key (and any standby) will get included, and the user 
will have to add in the old key if they want to use no-retire.


More information about the Opendnssec-develop mailing list