[Opendnssec-user] Key rollovers on exact days and with predictable keys?
Sion Lloyd
sion at nominet.org.uk
Fri Oct 15 08:10:46 UTC 2010
> Is it reasonable to assume the ZSKs will be used in the listed order?:
> id: ac9e3626f19eae7aecae3b23453a6877
> id: 4b300ac1eb5d41a034ddfaeb4453acbc
> id: eb4205c1a4f985c63c09d0a88a4eb768
> id: b4dd17417d13aa58c8d3ae1429a02dff
When we allocate new keys to zones we take the one that has the lowest id (not
key_id, but the database identifier) which will be the one that was generated
first.
So if you take your order from the key generation log then I'd be confident of
using the keys in that order.
> or achieving our "idea" would require a change to ods-ksmutil to accept
> the option "--CKA_ID", turning the rollover into something like the
> following?
>
> ods-ksmutil key rollover --zone example.com --keytype zsk --CKA_ID
> ac9e3626f19eae7aecae3b23453a6877
>
>
> Is there a need for this feature or we are just over engineering?
Personally I do not see a need for this, as all your unused keys in your HSM
are equal... However at the same time I see no harm in making the system more
deterministic.
So would it be enough to make sure that the order of "ods-ksmutil key list"
(when it is extended to cover keys in the generate state) is the same as the
order in which keys will be used?
Sion
More information about the Opendnssec-user
mailing list