[Opendnssec-user] Problem with KSK manual rollover
Erik P. Ostlyngen
erik.ostlyngen at uninett.no
Mon Mar 10 10:18:37 UTC 2014
On 03/10/2014 09:37 AM, Jerry Lundström wrote:
> Hi Erik,
>
> On 10 mar 2014, at 08:52, "Erik P. Ostlyngen"
> <erik.ostlyngen at uninett.no <mailto:erik.ostlyngen at uninett.no>>
> wrote:
>>
>> I understand. We'll use a 10 years or longer lifetime then. What
>> confused me is that OpenDNSSec created a new key and published
>> it in my zonefile, waiting for me to complete the rollover by
>> issuing a ds-seen command. This looks very similar to the
>> automatic KSK rollover (which also stops waiting for me to issue
>> a ds-seen command). This makes me wonder what difference the
>> ManualRollover tag makes.
>
> Ah, I see now why you might be confused.
>
> ManualRollover is the default behavior of KSK, there is no
> automatic because that would break your zone. Adding
> <ManualRollover> does not change anything for the KSK.
I think it would be handy if one could configure OpenDNSSec with KSKs
to have a lifetime of e.g. 1 year and that rollover should be
completely manual. OpenDNSSec would then do nothing when the key
expires, other than logging warning messages, waiting for the operator
to initiate a rollover with a 'ods-ksmutil key rollover' command or
otherwise issue some other command to extend the lifetime of the old
key. Btw, is there a way to see how old a key is? This would be useful
in a setting where key rollover is manual.
Erik Østlyngen
UNINETT Norid
More information about the Opendnssec-user
mailing list