[Opendnssec-develop] Enforcer NG testing
Yuri Schaeffer
yuri at NLnetLabs.nl
Tue Aug 30 14:21:56 UTC 2011
>>> published - publish dnskey record (as is now)
>>> active_ksk - sign dnskeyset
>>> active_zsk - sign zone data
>> The current Enforcer does not consider the KSK active until you also
>> have the DS-seen. Right Sion?
> That is correct. At the point of issuing the ds-seen command the key is
> made active.
Could either you or Rickard elaborate on this?
I assume you are talking strictly about the user interface. Tell the
user the KSK is not ready as long as the DS in not fully propagated?
Depending on your strategy it would be possible to introduce the RRSIG
DNSKEY (active_zsk flag) without any DS activity. (I'm not arguing about
the sanity of such policy).
or are you implying I should never try to have the DNSKEY set signed
with a key without a DS?
--
Yuri Schaeffer
NLnet Labs
http://www.nlnetlabs.nl
More information about the Opendnssec-develop
mailing list