[Opendnssec-develop] Key sharing question

[Sion Lloyd]

As promised (threatened?) earlier here is my key sharing question.

Do we need to do anything about zones drifting apart in terms of when keys are used?

Say we have 2 zones sharing keys, but one consistently gets forgotten when it comes to having the ds-seen command issued. In this case we would have the same key in a different state in each zone... No problem here.

But, given that the lifetime of the key is determined by the policy, it means that in an extreme case we could eventually see a key being published in one zone at the same time as it is retired from another... Maybe this is not too bad (except for the enforcer trying to keep track of all these keys). However I worry about things like rolling from one HSM to another being difficult and hugely delayed...

My other worry is that the current rules for keys are complicated enough and I'd rather be making them simpler than more complicated.

Should we look at synchronising keys by reducing the lifetime so that it will retire in all zones at the same time?

Sion
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100511/7f078af1/attachment.htm>