[Opendnssec-develop] KSK rollover
Jakob Schlyter
jakob at kirei.se
Mon Mar 1 09:51:18 UTC 2010
On 25 feb 2010, at 12.03, sion at nominet.org.uk wrote:
> One further complication... Should we allow different DS_PUBLISHED and
> DS_READY times for different zones sharing keys? Currently all times are
> stored against the key, rather than the zones instance of a key. (I.e. in
> the keypairs table, not the dnsseckeys table for those familiar with the
> kasp schema.)
I'd expect all timings to be per zone, not per key. if multiple zones are sharing a key they should only share the keypair itself, not any timing parameters associated with a key. so I want to be able to roll a key for one zone in a set of zones sharing keys, but not all of them. but when all of them has rolled key, the key has a "reference count" of 0 and can be released.
jakob
More information about the Opendnssec-develop
mailing list