[Opendnssec-develop] Automatic introduction of manual keys.
Matthijs Mekking
matthijs at NLnetLabs.nl
Mon Oct 10 09:47:09 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 10/10/2011 11:20 AM, Yuri Schaeffer wrote:
>>> C) or maybe: As long as the zone is not properly signed ignore
>>> ManualRollover flag.
>
>> What do you mean with properly? Properly in the sense of DNSSEC of
>> properly according to the KASP?
>
> In the sense of DNSSEC.
>
> My thoughts about this strategy: User indicated manual RollOver but our
> first and foremost priority is make sure the zone is secure.
>
> However when the user forgets to submit the DS to the parent (or forgets
> to tell the enfocer he did so), the enforcer might roll the KSK when
> configured lifetime is due. This might not be a problem because it is an
> internal affair for the Enforcer but is unexpected from a user point of
> view.
>
Then I would prefer option A/B.
Best regards,
Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJOkr8dAAoJEA8yVCPsQCW5bx0H/1R2lr7qmBSsAxEvstgs9R5o
BrlNuaqbUTaxi8kd9LBfE2vBxkNv0ZkmhpED5WcJOsLp5IFYZVqo9HfjRTd0PNWO
4PzQCvGsyGQMELr/wE53H7DktMPibmH+sVk9dTyvudr6m/SNQwvW+8ayVSX6wBzY
dzvWpmM8yjDEto9MKP0zKb9UMBHz2bD7+n9Rc8YuDCGphExdng9EUL95eXyo+Q8q
WUJZfsS9c0N9ej0rPrdSNgXMZa3ATBpxpoN+SXqefUBJNvMwYwxI6fQWyfuNEf0d
zwKE5mXe6p6mTTp2loyABuPWccOYF61YA5JJGVOZOgpJg3L71YxbkOR2Z1FagIw=
=Q7JD
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list