[Opendnssec-develop] Automatically test 'interesting' rollovers.

Siôn Lloyd sion at nominet.org.uk
Fri Jun 15 09:10:42 UTC 2012

On 15/06/12 09:57, Yuri Schaeffer wrote:
> At the enforcer-ng call we discussed if there is a way to perform
> rollovers with more than 2 keys in an automated fashion so we could make
> tests for it.
> Yes there is. But it is limited. One could issue:
>    ods-enforcer key rollover --zone example.com --keytype KSK
> This is the behavior:
> A) do I have a KSK configured in the kasp? no: ignore command
> (This makes sense, we could be using a CSK. No configuration means we
> dont even know what size or algorithm to use.)
> yes:
> B) Is the KSK configured as<Manual>? no: only do scheduled rolls.
> yes: Start using a new KSK, mark other KSKs as old.
> If we would lift check B this would be our emergency rollover function.
> But I'm quite sure I was asked to implement current behavior (I think to
> mimic current enforcer). Do we still think it should work like this? - I
> don't and propose the following:
> - Remove check B. (+1 yuri)
> - Remove check B if --force is given.

I understand the <manual> tag to mean "don't do automatic rolls", but 
wouldn't assume the reverse.
So +1 for "Remove check B".


More information about the Opendnssec-develop mailing list