[Opendnssec-develop] Automatic introduction of manual keys.

Rickard Bellgrim rickard at opendnssec.org
Fri Oct 21 15:08:35 UTC 2011


> So what you are suggesting is the following?:
>
> 1) key A reached lifetime, generate new key B
> 2) Intro key B, but hold DS
>
> ... wait for user input
>
> 3) Switch DS key A and B
> 4) outro key A
>
> This seems really awkward to me, especially since the DS switch currently is
> a manual process anyway.

Yes, that is the current behavior of the Enforcer. But we actually
only recommend manual rollover for ZSK. There is no point of doing it
for the KSK since we are anyways waiting for the DS.

> What about manual ZSK's? What parts will be introduced before the user gives
> the command?

In the case of Pre-publish ZSK rollover, it would be ok to pre-publish
the new ZSK. But then wait for the user to give the rollover command.

// Rickard



More information about the Opendnssec-develop mailing list