[Opendnssec-develop] Key sharing and new zones
Sion Lloyd
sion at nominet.org.uk
Mon Sep 6 07:39:57 UTC 2010
> What logic should we have when adding new zones to a policy that is sharing
> keys between already existing zones?
>
> The current trunk takes take the first available keys. But that means that
> the zone will most likely get dead or retired keys (according to the other
> zones). The keys will be assigned since they haven't been purged yet.
> Shouldn't we use the newest set of keys in order to be aligned with the
> zone that has progressed the furthest in key rollovers?
>
> The reason not to use a dead or retired key is because we somehow have
> determined them to be unsafe to use, when we do a rollover.
It should only pick up dead keys which "died of natural causes", i.e. ones
that were retired according to their lifetime, not ones which were rolled
manually...
Of course if we want to keep zones roughly in sync then I should probably take
the currently active keys instead. This might not be so simple in a system
where a key exists in lots of different states... So the logic could be "the
oldest key which is not in the retired state on any zone"? Or "the most
recently published key"?
Sion
More information about the Opendnssec-develop
mailing list