[Opendnssec-develop] Enforcer: Multiple keys in same role

Yuri Schaeffer yuri at NLnetLabs.nl
Fri Jul 15 12:46:05 UTC 2011

> Is the lifetime defined as an interval (from x to y) or a duration (z
> months)? If it is a duration, then e.g. ZSKs during rollover would
> look the same within one policy.

Lifetime is a duration, but I'm not sure where you are heading at.
If two ZSKs are introduced at the same time and have the same lifetime,
they will roll simultaneously.

>> The algorithm looks like this:
>> ------
>> 1)
>> Decommission all keys with KeyConfiguration not in Policy.
>> /* We toggle goal, no immediate consequences */
>> 2)
>> for each KeyConfiguration Kc:
>>  (not Exists key in Kc) OR (newest key in Kc is EOL)?
>>    decommission each key in Kc
>>    introduce new key
> Isn't it more you need to think of? E.g. algorithm rollover?

I *think* this covers it. An algorithm rollover would work:
step 1. the old key gets goal hidden. (because config no longer present)
step 2. a new key is introduced (because no (usable) key for new config

Then, Everything rolls as usual

In case the old config isn't removed, the zone will be double signed
since step 1 is then skipped. This is what we want to support for the
paranoids et al.

Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list