[Opendnssec-develop] Enforcer: Multiple keys in same role
rickard at opendnssec.org
Fri Jul 15 08:06:51 UTC 2011
Is the lifetime defined as an interval (from x to y) or a duration (z
months)? If it is a duration, then e.g. ZSKs during rollover would
look the same within one policy.
> The algorithm looks like this:
> Decommission all keys with KeyConfiguration not in Policy.
> /* We toggle goal, no immediate consequences */
> for each KeyConfiguration Kc:
> (not Exists key in Kc) OR (newest key in Kc is EOL)?
> decommission each key in Kc
> introduce new key
Isn't it more you need to think of? E.g. algorithm rollover?
More information about the Opendnssec-develop