[Opendnssec-user] Key rollovers

Antti Ristimäki aristima at csc.fi
Mon Nov 16 07:22:12 UTC 2009


Just wondering, whether it's possible to add some level of extra
authentication to the key rollover process? Now, if one can access the
OpenDNSSEC server with sufficient privileges, he or she can trigger the
key rollover by giving the "ods-ksmutil key rollover..." command,

It has to be noted, though, that the ability to merely roll the key is
not so critical if one is not authorized to update the DS record in the
parent zone. However, it would be nice to have some mechanism to prevent
a single user to roll the keys, especially KSK.

Any comments/opinions about this?

Best regards,


More information about the Opendnssec-user mailing list