[Opendnssec-develop] Enforcer NG testing
Rickard Bellgrim
rickard at opendnssec.org
Tue Aug 30 13:48:12 UTC 2011
> I think we have a lack of granularity here (and an error), due to how
> the signconf _used_ to work. Formerly a published KSK implied signing
> the DNSKEY set.
>
> We should have three flags here:
>
> published - publish dnskey record (as is now)
> active_ksk - sign dnskeyset
> active_zsk - sign zone data
The current Enforcer does not consider the KSK active until you also
have the DS-seen. Right Sion?
// Rickard
More information about the Opendnssec-develop
mailing list