[Opendnssec-develop] Enforcer engine design v2 work breakdown
Rickard Bellgrim
rickard at opendnssec.org
Thu Jun 30 11:32:27 UTC 2011
On Wed, Jun 29, 2011 at 5:24 PM, Roland van Rijswijk
<Roland.vanRijswijk at surfnet.nl> wrote:
>> The other thing that *might* be a problem is that the algorithm
>> implicitly assumes you'll want to have only one key of each role. It
>> will not keep juggling two ZSKs if one is enough to validate. I worked
>> out a rough idea for a fix with Matthijs. It requires no changes from
>> Rene but it's non-trivial. Therefore I want to know whether or not we
>> want to support this. Is there a usecase? There is not much
>> code-dependency so changing this at a later time will not increase
>> required work.
>
> I don't really see a use case for having two ZSKs other than when you are using two algorithms to sign a zone or perhaps if you want a standby ZSK (e.g. if you keep separate key material on two physically separate HSMs with different security worlds, although this would be ultra paranoid). But perhaps I'm overlooking more valid use cases ;-)
Those would be the use cases. We had a discussion yesterday on the
OpenDNSSEC meeting where we decided that this support could wait until
we have a running Enforcer.
// Rickard
More information about the Opendnssec-develop
mailing list