[Opendnssec-develop] DoubleDNSKEY rollover

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Mar 5 10:14:04 UTC 2010


On 5 mar 2010, at 11.09, <sion at nominet.org.uk<mailto:sion at nominet.org.uk>> <sion at nominet.org.uk<mailto:sion at nominet.org.uk>> wrote:

Isn't ok to have a DS record for a KSK that is not active, only pre-
published? Isn't that the purpose of the standby key. Just so that
you can roll at once, in case of emergency.

Okay, we can have this.

What I'll do is take the standby key out of the normal sequence into a
"ds-submitted, ds-ready" state, but reuse the publish and ready timestamp
columns (to avoid database schema changes).

Then if a rollover is requested we will use a key in the ready state if one
exists, otherwise one in the "ds-ready" state, failing that we will promote
a key and wait.

Does this sound right to people?

Yes

Because now we can send all the prepublished, ready, and active keys to the eppclient and it will sync the keys. It can then give an ok back, without enforcing a rollover.

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100305/90828cbe/attachment.htm>


More information about the Opendnssec-develop mailing list