[Opendnssec-develop] DoubleDNSKEY rollover
sion at nominet.org.uk
sion at nominet.org.uk
Fri Mar 5 10:09:18 UTC 2010
> Isn't ok to have a DS record for a KSK that is not active, only pre-
> published? Isn't that the purpose of the standby key. Just so that
> you can roll at once, in case of emergency.
Okay, we can have this.
What I'll do is take the standby key out of the normal sequence into a
"ds-submitted, ds-ready" state, but reuse the publish and ready timestamp
columns (to avoid database schema changes).
Then if a rollover is requested we will use a key in the ready state if one
exists, otherwise one in the "ds-ready" state, failing that we will promote
a key and wait.
Does this sound right to people?
Sion
More information about the Opendnssec-develop
mailing list