[Opendnssec-develop] Enforcer NG testing
Siôn Lloyd
sion at nominet.org.uk
Tue Aug 30 13:52:05 UTC 2011
On 30/08/11 14:48, Rickard Bellgrim wrote:
>> I think we have a lack of granularity here (and an error), due to how
>> the signconf _used_ to work. Formerly a published KSK implied signing
>> the DNSKEY set.
>>
>> We should have three flags here:
>>
>> published - publish dnskey record (as is now)
>> active_ksk - sign dnskeyset
>> active_zsk - sign zone data
> The current Enforcer does not consider the KSK active until you also
> have the DS-seen. Right Sion?
>
That is correct. At the point of issuing the ds-seen command the key is
made active.
More information about the Opendnssec-develop
mailing list