[Opendnssec-develop] Automatic introduction of manual keys.

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Oct 10 09:47:09 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/10/2011 11:20 AM, Yuri Schaeffer wrote:
>>> C) or maybe: As long as the zone is not properly signed ignore
>>> ManualRollover flag.
> 
>> What do you mean with properly? Properly in the sense of DNSSEC of
>> properly according to the KASP?
> 
> In the sense of DNSSEC.
> 
> My thoughts about this strategy: User indicated manual RollOver but our
> first and foremost priority is make sure the zone is secure.
> 
> However when the user forgets to submit the DS to the parent (or forgets
> to tell the enfocer he did so), the enforcer might roll the KSK when
> configured lifetime is due. This might not be a problem because it is an
> internal affair for the Enforcer but is unexpected from a user point of
> view.
> 

Then I would prefer option A/B.

Best regards,
  Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOkr8dAAoJEA8yVCPsQCW5bx0H/1R2lr7qmBSsAxEvstgs9R5o
BrlNuaqbUTaxi8kd9LBfE2vBxkNv0ZkmhpED5WcJOsLp5IFYZVqo9HfjRTd0PNWO
4PzQCvGsyGQMELr/wE53H7DktMPibmH+sVk9dTyvudr6m/SNQwvW+8ayVSX6wBzY
dzvWpmM8yjDEto9MKP0zKb9UMBHz2bD7+n9Rc8YuDCGphExdng9EUL95eXyo+Q8q
WUJZfsS9c0N9ej0rPrdSNgXMZa3ATBpxpoN+SXqefUBJNvMwYwxI6fQWyfuNEf0d
zwKE5mXe6p6mTTp2loyABuPWccOYF61YA5JJGVOZOgpJg3L71YxbkOR2Z1FagIw=
=Q7JD
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list