[Opendnssec-develop] Enforcer: Multiple keys in same role

Rickard Bellgrim rickard at opendnssec.org
Fri Jul 15 14:19:14 UTC 2011


On Fri, Jul 15, 2011 at 2:46 PM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:
>> Is the lifetime defined as an interval (from x to y) or a duration (z
>> months)? If it is a duration, then e.g. ZSKs during rollover would
>> look the same within one policy.
>
> Lifetime is a duration, but I'm not sure where you are heading at.
> If two ZSKs are introduced at the same time and have the same lifetime,
> they will roll simultaneously.

How would you know which one is the oldest if you only have the
duration and not the interval? And how would the lifetime help you to
decide which one to roll?

I was also wondering what you need the repository for? Once the key
has been created, then libhsm will find it for you. Well, we do have
the operation to mark a key as backed up.

Or maybe I am just not clear with the concept...

// Rickard



More information about the Opendnssec-develop mailing list