[Opendnssec-user] planning key rollovers

Mathieu Arnold mat at mat.cc
Wed Oct 23 07:40:54 UTC 2013


I'd like to have the ZSK rollovers spread along the two months period that
they last so that I don't get 1500 new keys at once.
I could write a script iterating the zones and sleepping <two
months>/<number of zones> between them, but it seems a bit counter
productive to have a script running that long.
So, I'm trying to see what the code does, but I'm not exactly certain I
understand it, it seems that if I want to update the database manually, for
each zone, I should :
update the dnsseckey to retire when I want it to, and update the keypair
associed to it with compromisedflag=1, fixedDate=1.

Before I go on and all hell breaks loose, am I missing something ?

Mathieu Arnold

More information about the Opendnssec-user mailing list