[Opendnssec-develop] Enforcer NG testing
Siôn Lloyd
sion at nominet.org.uk
Tue Aug 30 14:38:00 UTC 2011
On 30/08/11 15:21, Yuri Schaeffer wrote:
>
>> That is correct. At the point of issuing the ds-seen command the key is
>> made active.
> Could either you or Rickard elaborate on this?
>
> I assume you are talking strictly about the user interface. Tell the
> user the KSK is not ready as long as the DS in not fully propagated?
>
Yes, as soon as the key is included in a zone it is used, but "key list"
will not indicate that. The transition to active is triggered by the
user, which starts the key retirement clock.
> Depending on your strategy it would be possible to introduce the RRSIG
> DNSKEY (active_zsk flag) without any DS activity. (I'm not arguing about
> the sanity of such policy).
>
> or are you implying I should never try to have the DNSKEY set signed
> with a key without a DS?
>
More information about the Opendnssec-develop
mailing list