[Opendnssec-develop] Key sharing and new zones

Rick van Rein rick at openfortress.nl
Mon Sep 6 11:23:23 UTC 2010


>       The problem with this is that in order to properly describe "very soon"
> we need a new configuration parameter.
>       So, would everyone be happy if I go with "the most
> recently published key"?

Agreed (on both points).

>       This would be the active key unless it's sucessor has already been
> published. Of course if you happen to run just before the next key is
> published then you will use a key that is about to retire.

Yes, and "very soon" then basically becomes "we haven't yet started the process
of introducing new key material".  Makes bundles of sense to me.

>       If we want to avoid that and use some logic like "only use the active
>       key
> if it has been active for less than 25% of its lifetime" then:
> 1) it is more work
> 2) adding zones will be slower
> and
> 3) we either need a new configuration option, or we hard-code something.
> none of which mean that we shouldn't do it of course.

This all sounds like a bad idea to me...


More information about the Opendnssec-develop mailing list