[Opendnssec-develop] DoubleDNSKEY rollover
Rickard Bellgrim
rickard.bellgrim at iis.se
Thu Mar 4 14:38:56 UTC 2010
On 4 mar 2010, at 15.22, <sion at nominet.org.uk> <sion at nominet.org.uk> wrote:
>> My vision is that the rolling of keys are separated from the ds-seen
>> command. The ds-seen command will only mark a key as seen in the
>> parent zone. The enforcer will then by it self determine if it can
>> roll the key, but only if the key has been marked.
>>
>> You can thus mark multiple keys, without enforcing a rollover.
>
> Okay, what I'll do straight away then is I'll reverse the logic so that you
> need to supply a --retire flag or the old key will be left active.
>
>> Will you not save time by publishing the DS record of the standby key?
>
> Yes, but then you will have multiple active keys rather than a standby
> key... I'm not sure if that is what users would expect?
Isn't ok to have a DS record for a KSK that is not active, only pre-published? Isn't that the purpose of the standby key. Just so that you can roll at once, in case of emergency.
More information about the Opendnssec-develop
mailing list