[Opendnssec-develop] ZSK rollovers

Sion Lloyd sion at nominet.org.uk
Thu May 6 08:06:19 UTC 2010

> The signer currently replaces signatures only if the keytag matches. For
> example, in the current signer engine, Key 12345 will not replace old
> signatures that were created with Key 67890.

So in the unlikely event that you roll to a key with the same keytag we would see a gradual replacement of signatures?

- - Now we have introduced assumptions about what rollover scheme is used
into the signer engine. While it was explicitly designed *not* to know

I think that we can cope with this. The enforcer should mark any key that should be used to sign as "active", then the signer doesn't need to know _why_ the key should be used, just that it should be.

More information about the Opendnssec-develop mailing list