[Opendnssec-develop] Enforcer: Multiple keys in same role
Rickard Bellgrim
rickard at opendnssec.org
Fri Jul 15 08:06:51 UTC 2011
> role|algorithm|lifetime|repository.
Is the lifetime defined as an interval (from x to y) or a duration (z
months)? If it is a duration, then e.g. ZSKs during rollover would
look the same within one policy.
> The algorithm looks like this:
> ------
> 1)
> Decommission all keys with KeyConfiguration not in Policy.
> /* We toggle goal, no immediate consequences */
>
> 2)
> for each KeyConfiguration Kc:
> (not Exists key in Kc) OR (newest key in Kc is EOL)?
> decommission each key in Kc
> introduce new key
Isn't it more you need to think of? E.g. algorithm rollover?
// Rickard
More information about the Opendnssec-develop
mailing list