[Opendnssec-user] Some glitches in OpenDNSSEC

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Jul 2 07:17:25 UTC 2010

On 25 jun 2010, at 11.41, Ondřej Surý wrote:

> - No way how to get rid of a imported key or change a state of already
> imported key

Once the key is imported, it is supposed that the enforcer updated the state.

> - If I delete zone and re-add it later, the keys are lost, but you
> cannot re-import keys with same CKA_ID.

Removal of a zone does not remove the keys.

> - No way how to remove "lost" keys (see previous remark).

ods-hsmutil remove <id>

> - Algorithm rollover is missing? And it's not in the roadmap yet?

It is planned for 1.3, but the roadmap is not update. Will do that next week.

Algorithm rollover is essentially like going from unsigned to signed with the new algorithm. Then at one point you decide to go unsigned with the old algorithm. The Enforcer should be able to handle multiple sets of algorithms, and also that the kasp.xml must be expanded (so that you can have multiple ksk and zsk fields)

> - I was able to create such a mess in the keys for udp53.cz, that I
> had to disable auditor :)

We should have a look on this.

// Rickard

More information about the Opendnssec-user mailing list