[Opendnssec-develop] Key sharing and new zones

Rick van Rein rick at openfortress.nl
Mon Sep 6 08:19:16 UTC 2010


> The current trunk takes take the first available keys. But that means that the zone will most likely get dead or retired keys (according to the other zones). The keys will be assigned since they haven't been purged yet. Shouldn't we use the newest set of keys in order to be aligned with the zone that has progressed the furthest in key rollovers?

I would formulate an answer in terms of "the key shouldn't be scheduled for rolling
very soon, nor should it be used longer than we deem safe".  What that means in most
practical scenarios is to use the newest.

> The reason not to use a dead or retired key is because we somehow have determined them to be unsafe to use, when we do a rollover.

Of course.


More information about the Opendnssec-develop mailing list