[Opendnssec-develop] Enforcer: Multiple keys in same role

Rickard Bellgrim rickard at opendnssec.org
Fri Jul 15 08:06:51 UTC 2011

> role|algorithm|lifetime|repository.

Is the lifetime defined as an interval (from x to y) or a duration (z
months)? If it is a duration, then e.g. ZSKs during rollover would
look the same within one policy.

> The algorithm looks like this:
> ------
> 1)
> Decommission all keys with KeyConfiguration not in Policy.
> /* We toggle goal, no immediate consequences */
> 2)
> for each KeyConfiguration Kc:
>  (not Exists key in Kc) OR (newest key in Kc is EOL)?
>    decommission each key in Kc
>    introduce new key

Isn't it more you need to think of? E.g. algorithm rollover?

// Rickard

More information about the Opendnssec-develop mailing list