[Opendnssec-develop] Importing shared keys

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Wed Jul 21 10:16:47 UTC 2010

Hi Sion,

Sion Lloyd wrote:
> Right. I would certainly only link it to that one zone initially. However if 
> you are sharing all other keys why not this one? Currently it would go into 
> the pool of unused keys for other zones on the policy, is this bad?

Not necessarily, I guess it will just sit in that pool and not be used.

> I'm not sure that we want/need a policy rollover where the policies are 
> identical apart from the shared-keys parameter. I would need to be persuaded 
> on this one.

Ah, my bad, I'm thinking in solutions. The use case is simple: I would
like to be able to move a zone from a one-key-per-zone situation to a
shared-key situation. How that is solved doesn't really matter (but a
policy rollover is one option, another is to change an existing policy).
The rationale for this is simple: we cannot have shared keys in our set
up as it is because of the limitations in OpenDNSSEC 1.1.x; in the
future, however, when OpenDNSSEC does support this, we want to be able
to migrate from a one-key-per-zone situation to a one-key-per-customer
(shared) situation.

> Yes, thank you. It also makes me think of something else. Currently you can 
> import any key onto a zone, _even_ if it does not comply with the current 
> policy... This will no doubt confuse the auditor, so should we stop it from 
> importing, warn or something else?

Ah. My personal opinion is that this is a "deny and give an error unless
user specifies --force" situation ;-)



-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list