[Opendnssec-develop] Importing shared keys

Sion Lloyd sion at nominet.org.uk
Wed Jul 21 13:46:29 UTC 2010

> > Why shouldn't the key be used?
> Because the other zones in the policy already participate in a
> shared-key scheme, right? And it is not a "new" (fresh) key since it is
> already in use for a zone. Thinking about this: I guess a move from
> unshared to shared is:
> - Add zone to shared policy
> - Import zone keys into policy
> - Next policy-based roll or user forced roll will move zone from
> unshared to shared
> - Discard keys
> Would that work?

Yes. However you can import keys in the GENERATE state also, say you create 
them with hsmutil but then want OpenDNSSEC to use them. In this case I imagine 
that you would want to allow multiple zones to use that key... Is this ever 
likely to happen? (It is allowed in the current system.)


More information about the Opendnssec-develop mailing list