[Opendnssec-develop] Automatic introduction of manual keys.
Yuri Schaeffer
yuri at NLnetLabs.nl
Tue Oct 11 13:49:06 UTC 2011
>> Then I would prefer option A/B.
> Although you could argue that this is a rollover; I think that by asking
> for the zone to be signed the user has agreed to the KSK being introduced.
I did implement option B.
If the enforcer finds a key entry in the kasp for algorithm X and X is
not yet used in the zone, it will introduce that key. Regardless of the
Manual flag.
If the user changes the algorithm (from unsigned to X or Y to X) the
enforcer assumes signing with X must be done *now*.
Also, this will work as expected when signing with multiple keys
simultaneously.
--
Yuri Schaeffer
NLnet Labs
http://www.nlnetlabs.nl
More information about the Opendnssec-develop
mailing list