[Opendnssec-develop] Enforcer NG testing
Yuri Schaeffer
yuri at NLnetLabs.nl
Tue Aug 30 13:33:49 UTC 2011
> Zone: Key role: DS: DNSKEY:
> RRSIGDNSKEY: RRSIG: Pub: Act: Id:
> blipp.com KSK omnipresent omnipresent
> omnipresent NA 1 0 27d98675ec791fd63905d430df510007
>
> Omnipresent in all fields, but the Act column is not set to 1.
> Shouldn't it be considered as active?
I think we have a lack of granularity here (and an error), due to how
the signconf _used_ to work. Formerly a published KSK implied signing
the DNSKEY set.
We should have three flags here:
published - publish dnskey record (as is now)
active_ksk - sign dnskeyset
active_zsk - sign zone data
Currently the active flag has a different meaning depending on the role
of the key, this gets extra confusing when it is a single key signing
scheme. The Signer configuration does not have this ambiguity (anymore),
so it is an internal Enforcer problem. I will fix this.
I propose to add the extra flag to the user interface as well. But an
alternative is keep the interface and have
active = active_ksk|active_zsk
//yuri
More information about the Opendnssec-develop
mailing list