[Opendnssec-develop] Importing shared keys
Sion Lloyd
sion at nominet.org.uk
Wed Jul 21 13:46:29 UTC 2010
> > Why shouldn't the key be used?
>
> Because the other zones in the policy already participate in a
> shared-key scheme, right? And it is not a "new" (fresh) key since it is
> already in use for a zone. Thinking about this: I guess a move from
> unshared to shared is:
>
> - Add zone to shared policy
> - Import zone keys into policy
> - Next policy-based roll or user forced roll will move zone from
> unshared to shared
> - Discard keys
>
> Would that work?
Yes. However you can import keys in the GENERATE state also, say you create
them with hsmutil but then want OpenDNSSEC to use them. In this case I imagine
that you would want to allow multiple zones to use that key... Is this ever
likely to happen? (It is allowed in the current system.)
Sion
More information about the Opendnssec-develop
mailing list