[Opendnssec-develop] Automatically test 'interesting' rollovers.
yuri at nlnetlabs.nl
Fri Jun 15 08:57:28 UTC 2012
At the enforcer-ng call we discussed if there is a way to perform
rollovers with more than 2 keys in an automated fashion so we could make
tests for it.
Yes there is. But it is limited. One could issue:
ods-enforcer key rollover --zone example.com --keytype KSK
This is the behavior:
A) do I have a KSK configured in the kasp? no: ignore command
(This makes sense, we could be using a CSK. No configuration means we
dont even know what size or algorithm to use.)
B) Is the KSK configured as <Manual>? no: only do scheduled rolls.
yes: Start using a new KSK, mark other KSKs as old.
If we would lift check B this would be our emergency rollover function.
But I'm quite sure I was asked to implement current behavior (I think to
mimic current enforcer). Do we still think it should work like this? - I
don't and propose the following:
- Remove check B. (+1 yuri)
- Remove check B if --force is given.
More information about the Opendnssec-develop