[Opendnssec-develop] Automatic introduction of manual keys.
Yuri Schaeffer
yuri at NLnetLabs.nl
Mon Oct 10 08:56:37 UTC 2011
Nick noticed a difference between the two enforcer implementations which
I like to get your opinion about.
Importing an unsigned zone, split key, with <manualRollover/> on the KSK:
Enforcer:
Generate both keys and introduce them in the zone. This is not
considered a rollover.
Enforcer NG:
Introduce only the ZSK. Wait for user signal to introduce the KSK. This
is a rollover like any other.
Personally I like the new behavior, as it feels more consistent. The
user asks not to do any automatic stuff with the KSK, so we don't.
It is possible to implement the old behavior by either:
A) ignore manual flag if there is no KSK*
B) ignore manual flag if there is no KSK* for this algorithm.
* same for other type of keys
C) or maybe: As long as the zone is not properly signed ignore
ManualRollover flag.
I think the solutions A,B,C all have some unexpected behavior for the
user in some situations. So I suggest to leave it as is.
--
Yuri Schaeffer
NLnet Labs
http://www.nlnetlabs.nl
More information about the Opendnssec-develop
mailing list