[Opendnssec-develop] Automatic introduction of manual keys.

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Oct 21 12:41:28 UTC 2011

> The ManualRollover stops us from making a key retired. But it does not
> stop us from introducing a new key. We want to minimize the waiting
> time for the user by doing as much as possible before the user decides
> to retire the old key and make the new one active.

So what you are suggesting is the following?:

1) key A reached lifetime, generate new key B
2) Intro key B, but hold DS

... wait for user input

3) Switch DS key A and B
4) outro key A

This seems really awkward to me, especially since the DS switch 
currently is a manual process anyway.

What about manual ZSK's? What parts will be introduced before the user 
gives the command?

I might be missing the point of manual keys.


More information about the Opendnssec-develop mailing list