[Opendnssec-develop] Key sharing and new zones

Sion Lloyd sion at nominet.org.uk
Mon Sep 6 10:29:54 UTC 2010

> > The current trunk takes take the first available keys. But that means
> > that the zone will most likely get dead or retired keys (according to
> > the other zones). The keys will be assigned since they haven't been
> > purged yet. Shouldn't we use the newest set of keys in order to be
> > aligned with the zone that has progressed the furthest in key rollovers?
> I would formulate an answer in terms of "the key shouldn't be scheduled for
> rolling very soon, nor should it be used longer than we deem safe".  What
> that means in most practical scenarios is to use the newest.

	The problem with this is that in order to properly describe "very soon" 
we need a new configuration parameter.

	So, would everyone be happy if I go with "the most 
recently published key"?

	This would be the active key unless it's sucessor has already been 
published. Of course if you happen to run just before the next key is 
published then you will use a key that is about to retire. 

	If we want to avoid that and use some logic like "only use the active key 
if it has been active for less than 25% of its lifetime" then:
1) it is more work
2) adding zones will be slower
3) we either need a new configuration option, or we hard-code something.
none of which mean that we shouldn't do it of course.


More information about the Opendnssec-develop mailing list