[Opendnssec-develop] Key sharing and new zones
Sion Lloyd
sion at nominet.org.uk
Mon Sep 6 10:29:54 UTC 2010
> > The current trunk takes take the first available keys. But that means
> > that the zone will most likely get dead or retired keys (according to
> > the other zones). The keys will be assigned since they haven't been
> > purged yet. Shouldn't we use the newest set of keys in order to be
> > aligned with the zone that has progressed the furthest in key rollovers?
>
> I would formulate an answer in terms of "the key shouldn't be scheduled for
> rolling very soon, nor should it be used longer than we deem safe". What
> that means in most practical scenarios is to use the newest.
The problem with this is that in order to properly describe "very soon"
we need a new configuration parameter.
So, would everyone be happy if I go with "the most
recently published key"?
This would be the active key unless it's sucessor has already been
published. Of course if you happen to run just before the next key is
published then you will use a key that is about to retire.
If we want to avoid that and use some logic like "only use the active key
if it has been active for less than 25% of its lifetime" then:
1) it is more work
2) adding zones will be slower
and
3) we either need a new configuration option, or we hard-code something.
none of which mean that we shouldn't do it of course.
Sion
More information about the Opendnssec-develop
mailing list