[Opendnssec-develop] ZSK rollovers
sion at nominet.org.uk
Thu May 6 08:06:19 UTC 2010
> The signer currently replaces signatures only if the keytag matches. For
> example, in the current signer engine, Key 12345 will not replace old
> signatures that were created with Key 67890.
So in the unlikely event that you roll to a key with the same keytag we would see a gradual replacement of signatures?
- - Now we have introduced assumptions about what rollover scheme is used
into the signer engine. While it was explicitly designed *not* to know
I think that we can cope with this. The enforcer should mark any key that should be used to sign as "active", then the signer doesn't need to know _why_ the key should be used, just that it should be.
More information about the Opendnssec-develop