[Opendnssec-develop] Automatically test 'interesting' rollovers.

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Jun 15 08:57:28 UTC 2012


At the enforcer-ng call we discussed if there is a way to perform
rollovers with more than 2 keys in an automated fashion so we could make
tests for it.

Yes there is. But it is limited. One could issue:
  ods-enforcer key rollover --zone example.com --keytype KSK

This is the behavior:

A) do I have a KSK configured in the kasp? no: ignore command
(This makes sense, we could be using a CSK. No configuration means we
dont even know what size or algorithm to use.)
yes:

B) Is the KSK configured as <Manual>? no: only do scheduled rolls.
yes: Start using a new KSK, mark other KSKs as old.


If we would lift check B this would be our emergency rollover function.
But I'm quite sure I was asked to implement current behavior (I think to
mimic current enforcer). Do we still think it should work like this? - I
don't and propose the following:

- Remove check B. (+1 yuri)
- Remove check B if --force is given.

//yuri



More information about the Opendnssec-develop mailing list