[Opendnssec-develop] Key sharing and new zones
Rick van Rein
rick at openfortress.nl
Mon Sep 6 11:23:23 UTC 2010
Hey,
> The problem with this is that in order to properly describe "very soon"
> we need a new configuration parameter.
>
> So, would everyone be happy if I go with "the most
> recently published key"?
Agreed (on both points).
> This would be the active key unless it's sucessor has already been
> published. Of course if you happen to run just before the next key is
> published then you will use a key that is about to retire.
Yes, and "very soon" then basically becomes "we haven't yet started the process
of introducing new key material". Makes bundles of sense to me.
> If we want to avoid that and use some logic like "only use the active
> key
> if it has been active for less than 25% of its lifetime" then:
> 1) it is more work
> 2) adding zones will be slower
> and
> 3) we either need a new configuration option, or we hard-code something.
> none of which mean that we shouldn't do it of course.
This all sounds like a bad idea to me...
-Rick
More information about the Opendnssec-develop
mailing list