[Opendnssec-develop] Importing shared keys

Sion Lloyd sion at nominet.org.uk
Wed Jul 21 10:08:40 UTC 2010

> > What would people like to see happen on key import? Currently you need to
> > specify a zone to import the key onto, and then we have a choice:
> > 
> > Make this key available to other zones on the policy,
> > 
> > or
> > 
> > don't.
> > 
> > The simplest thing is to make it available, but are there reasons why we
> > may not want to do this?
> Importing a key is probably something that you want to do if you have a
> zone that is being migrated from "tool X" to OpenDNSSEC (either because
> of a change in tooling or because of a move from one DNS operator to the
> other). If this key is linked to a single zone only, then it makes sense
> (IMHO) to link it only to that zone.

Right. I would certainly only link it to that one zone initially. However if 
you are sharing all other keys why not this one? Currently it would go into 
the pool of unused keys for other zones on the policy, is this bad?

> The fun starts when you consider that people may be changing their
> policy from having one key per zone with "tool X" (for instance, because
> that tool only supports such simple policies) to shared keys. We could
> call this a "policy rollover". In this case, the workflow I imagine
> would be:
> - Create a single-zone, non-shared key policy for the zone+key to import
> - Have a "policy rollover" mechanism where you can move a zone from one
> policy to another (i.e. from non-shared to shared) (in effect, this is a
> KSK + ZSK rollover for the zone that is being moved)

I'm not sure that we want/need a policy rollover where the policies are 
identical apart from the shared-keys parameter. I would need to be persuaded 
on this one.

> > On this note, are there any reasons to have an "import onto policy"
> > function where you can import a key in a particular state and it will
> > appear in that state in all zones on that policy? (Currently the key
> > would be in the imported state on the zone it was imported on, and just
> > in the general pool of unused keys for all other zones.)
> I'm not sure if you would need that, my suggestion would be to look at
> the use case I described above and then decide if you need this.

Cool, makes my life easier.

> Hope this helps...

Yes, thank you. It also makes me think of something else. Currently you can 
import any key onto a zone, _even_ if it does not comply with the current 
policy... This will no doubt confuse the auditor, so should we stop it from 
importing, warn or something else?


More information about the Opendnssec-develop mailing list