[Opendnssec-develop] Key sharing and new zones

Sion Lloyd sion at nominet.org.uk
Mon Sep 6 07:39:57 UTC 2010

> What logic should we have when adding new zones to a policy that is sharing
> keys between already existing zones?
> The current trunk takes take the first available keys. But that means that
> the zone will most likely get dead or retired keys (according to the other
> zones). The keys will be assigned since they haven't been purged yet.
> Shouldn't we use the newest set of keys in order to be aligned with the
> zone that has progressed the furthest in key rollovers?
> The reason not to use a dead or retired key is because we somehow have
> determined them to be unsafe to use, when we do a rollover.

It should only pick up dead keys which "died of natural causes", i.e. ones 
that were retired according to their lifetime, not ones which were rolled 

Of course if we want to keep zones roughly in sync then I should probably take 
the currently active keys instead. This might not be so simple in a system 
where a key exists in lots of different states... So the logic could be "the 
oldest key which is not in the retired state on any zone"? Or "the most 
recently published key"?


More information about the Opendnssec-develop mailing list