[Opendnssec-user] Key rollovers on exact days and with predictable keys?

Sion Lloyd sion at nominet.org.uk
Fri Oct 15 10:10:46 CEST 2010


> Is it reasonable to assume the ZSKs will be used in the listed order?:
> id: ac9e3626f19eae7aecae3b23453a6877
> id: 4b300ac1eb5d41a034ddfaeb4453acbc
> id: eb4205c1a4f985c63c09d0a88a4eb768
> id: b4dd17417d13aa58c8d3ae1429a02dff

When we allocate new keys to zones we take the one that has the lowest id (not 
key_id, but the database identifier) which will be the one that was generated 
first.

So if you take your order from the key generation log then I'd be confident of 
using the keys in that order. 

> or achieving our "idea" would require a change to ods-ksmutil to accept
> the option "--CKA_ID", turning the rollover into something like the
> following?
> 
> ods-ksmutil key rollover --zone example.com --keytype zsk --CKA_ID
> ac9e3626f19eae7aecae3b23453a6877
> 
> 
> Is there a need for this feature or we are just over engineering?

Personally I do not see a need for this, as all your unused keys in your HSM 
are equal... However at the same time I see no harm in making the system more 
deterministic.

So would it be enough to make sure that the order of "ods-ksmutil key list" 
(when it is extended to cover keys in the generate state) is the same as the 
order in which keys will be used?

Sion



More information about the Opendnssec-user mailing list