[Opendnssec-develop] Importing shared keys

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Wed Jul 21 11:00:23 UTC 2010


Hi Alex,

Alex Dalitz wrote:
>>> Ah. My personal opinion is that this is a "deny and give an error
>>> unless user specifies --force" situation ;-)
>> Sounds good to me.
> 
> We have a "--force" option?!
> 
> If we don't, and decide we need one, what should the semantics be?
> i.e. Are we talking about a "disable audit for this run" flag, or for
> the lifetime of the policy-incompatible key, or something else?

Hmm... I was merely suggesting the general idea; it is bad practice to
import keys that do not meet the policy, on the other hand there are
always user who - for some reason or other - need to do this.

What if, for instance, you want to move a zone to a shared-key policy
and the new policies requires bigger keys? What would that use case look
like (and which requirements does that translate to)?

Cheers,

Roland

-- 
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl




More information about the Opendnssec-develop mailing list