[Opendnssec-develop] Automatic introduction of manual keys.

Yuri Schaeffer yuri at NLnetLabs.nl
Tue Oct 11 13:49:06 UTC 2011

>> Then I would prefer option A/B.

> Although you could argue that this is a rollover; I think that by asking
> for the zone to be signed the user has agreed to the KSK being introduced.

I did implement option B.
If the enforcer finds a key entry in the kasp for algorithm X and X is
not yet used in the zone, it will introduce that key. Regardless of the
Manual flag.

If the user changes the algorithm (from unsigned to X or Y to X) the
enforcer assumes signing with X must be done *now*.

Also, this will work as expected when signing with multiple keys

Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list