[Opendnssec-user] Key rollovers

Jakob Schlyter jakob at kirei.se
Mon Nov 16 08:41:35 UTC 2009


On 16 nov 2009, at 08.22, Antti Ristimäki wrote:

> Just wondering, whether it's possible to add some level of extra
> authentication to the key rollover process? Now, if one can access the
> OpenDNSSEC server with sufficient privileges, he or she can trigger the
> key rollover by giving the "ods-ksmutil key rollover..." command,
> right? 

I understand your concern, but since a large part of the security model of OpenDNSSEC relies on the signer being secure it's a rather large change. if that would not be the case, I think we'd have a lot of other issues that might be important as well.

we could however considering adding a "are you sure?" question to the more "destructive" commands of ods-ksmutil. would that help?

	jakob




More information about the Opendnssec-user mailing list