[Opendnssec-develop] Enforcer: Multiple keys in same role
yuri at NLnetLabs.nl
Fri Jul 15 12:46:05 UTC 2011
> Is the lifetime defined as an interval (from x to y) or a duration (z
> months)? If it is a duration, then e.g. ZSKs during rollover would
> look the same within one policy.
Lifetime is a duration, but I'm not sure where you are heading at.
If two ZSKs are introduced at the same time and have the same lifetime,
they will roll simultaneously.
>> The algorithm looks like this:
>> Decommission all keys with KeyConfiguration not in Policy.
>> /* We toggle goal, no immediate consequences */
>> for each KeyConfiguration Kc:
>> (not Exists key in Kc) OR (newest key in Kc is EOL)?
>> decommission each key in Kc
>> introduce new key
> Isn't it more you need to think of? E.g. algorithm rollover?
I *think* this covers it. An algorithm rollover would work:
step 1. the old key gets goal hidden. (because config no longer present)
step 2. a new key is introduced (because no (usable) key for new config
Then, Everything rolls as usual
In case the old config isn't removed, the zone will be double signed
since step 1 is then skipped. This is what we want to support for the
paranoids et al.
More information about the Opendnssec-develop