[Opendnssec-develop] Automatically test 'interesting' rollovers.
Roland van Rijswijk
Roland.vanRijswijk at surfnet.nl
Fri Jun 15 12:48:18 UTC 2012
On 15 jun. 2012, at 11:10, Siôn Lloyd wrote:
> On 15/06/12 09:57, Yuri Schaeffer wrote:
>> At the enforcer-ng call we discussed if there is a way to perform
>> rollovers with more than 2 keys in an automated fashion so we could make
>> tests for it.
>>
>> Yes there is. But it is limited. One could issue:
>> ods-enforcer key rollover --zone example.com --keytype KSK
>>
>> This is the behavior:
>>
>> A) do I have a KSK configured in the kasp? no: ignore command
>> (This makes sense, we could be using a CSK. No configuration means we
>> dont even know what size or algorithm to use.)
>> yes:
>>
>> B) Is the KSK configured as<Manual>? no: only do scheduled rolls.
>> yes: Start using a new KSK, mark other KSKs as old.
>>
>>
>> If we would lift check B this would be our emergency rollover function.
>> But I'm quite sure I was asked to implement current behavior (I think to
>> mimic current enforcer). Do we still think it should work like this? - I
>> don't and propose the following:
>>
>> - Remove check B. (+1 yuri)
>> - Remove check B if --force is given.
>>
>
> I understand the <manual> tag to mean "don't do automatic rolls", but wouldn't assume the reverse.
> So +1 for "Remove check B".
^^^^^^
What he said, so +1 ;-)
Cheers,
Roland
-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl
More information about the Opendnssec-develop
mailing list