[Opendnssec-develop] Importing shared keys
Roland van Rijswijk
roland.vanrijswijk at surfnet.nl
Wed Jul 21 11:00:23 UTC 2010
Hi Alex,
Alex Dalitz wrote:
>>> Ah. My personal opinion is that this is a "deny and give an error
>>> unless user specifies --force" situation ;-)
>> Sounds good to me.
>
> We have a "--force" option?!
>
> If we don't, and decide we need one, what should the semantics be?
> i.e. Are we talking about a "disable audit for this run" flag, or for
> the lifetime of the policy-incompatible key, or something else?
Hmm... I was merely suggesting the general idea; it is bad practice to
import keys that do not meet the policy, on the other hand there are
always user who - for some reason or other - need to do this.
What if, for instance, you want to move a zone to a shared-key policy
and the new policies requires bigger keys? What would that use case look
like (and which requirements does that translate to)?
Cheers,
Roland
--
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
More information about the Opendnssec-develop
mailing list