[Opendnssec-develop] Importing shared keys

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Wed Jul 21 09:21:55 UTC 2010 

Hi Sion,

Sion Lloyd wrote:
> I'm getting through the shared keys work and am beginning to get to some of 
> the things that I hadn't thought about before. So this may be the first of 
> many questions...
> 
> What would people like to see happen on key import? Currently you need to 
> specify a zone to import the key onto, and then we have a choice:
> 
> Make this key available to other zones on the policy,
> 
> or
> 
> don't.
> 
> The simplest thing is to make it available, but are there reasons why we may 
> not want to do this?

Importing a key is probably something that you want to do if you have a
zone that is being migrated from "tool X" to OpenDNSSEC (either because
of a change in tooling or because of a move from one DNS operator to the
other). If this key is linked to a single zone only, then it makes sense
(IMHO) to link it only to that zone.

The fun starts when you consider that people may be changing their
policy from having one key per zone with "tool X" (for instance, because
that tool only supports such simple policies) to shared keys. We could
call this a "policy rollover". In this case, the workflow I imagine
would be:

- Create a single-zone, non-shared key policy for the zone+key to import

- Have a "policy rollover" mechanism where you can move a zone from one
policy to another (i.e. from non-shared to shared) (in effect, this is a
KSK + ZSK rollover for the zone that is being moved)

> On this note, are there any reasons to have an "import onto policy" function 
> where you can import a key in a particular state and it will appear in that 
> state in all zones on that policy? (Currently the key would be in the imported 
> state on the zone it was imported on, and just in the general pool of unused 
> keys for all other zones.)

I'm not sure if you would need that, my suggestion would be to look at
the use case I described above and then decide if you need this.

Hope this helps...

Cheers,

Roland

-- 
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list