[Opendnssec-develop] Key sharing and new zones
Rickard Bellgrim
rickard.bellgrim at iis.se
Mon Sep 13 13:10:33 UTC 2010
Hi
On 6 sep 2010, at 09.34, Rickard Bellgrim wrote:
> What logic should we have when adding new zones to a policy that is sharing keys between already existing zones?
>
> The current trunk takes take the first available keys. But that means that the zone will most likely get dead or retired keys (according to the other zones). The keys will be assigned since they haven't been purged yet. Shouldn't we use the newest set of keys in order to be aligned with the zone that has progressed the furthest in key rollovers?
>
> The reason not to use a dead or retired key is because we somehow have determined them to be unsafe to use, when we do a rollover.
What is the status one this one?
// Rickard
More information about the Opendnssec-develop
mailing list