[Opendnssec-develop] Automatic introduction of manual keys.

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Oct 10 09:07:30 UTC 2011

Hash: SHA1

On 10/10/2011 10:56 AM, Yuri Schaeffer wrote:
> Nick noticed a difference between the two enforcer implementations which
> I like to get your opinion about.
> Importing an unsigned zone, split key, with <manualRollover/> on the KSK:
> Enforcer:
> Generate both keys and introduce them in the zone. This is not
> considered a rollover.
> Enforcer NG:
> Introduce only the ZSK. Wait for user signal to introduce the KSK. This
> is a rollover like any other.
> Personally I like the new behavior, as it feels more consistent. The
> user asks not to do any automatic stuff with the KSK, so we don't.

The user asks us not to do any automatic KSK rollover. You can argue if
introducing the KSK is a rollover. I prefer to have the KSK introduced
automatically, just like the current enforcer does.

> It is possible to implement the old behavior by either:
> A) ignore manual flag if there is no KSK*
> B) ignore manual flag if there is no KSK* for this algorithm.
> * same for other type of keys
> C) or maybe: As long as the zone is not properly signed ignore
> ManualRollover flag.

Option A) is how the current enforcer would work. Option B) is the same,
except it takes into account algorithm rollover (which is actually a
change of the KASP).

What do you mean with properly? Properly in the sense of DNSSEC of
properly according to the KASP?

> I think the solutions A,B,C all have some unexpected behavior for the
> user in some situations. So I suggest to leave it as is.

I would like to see on of the solutions implemented.

Best regards,

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-develop mailing list