[Opendnssec-user] Sharedkeys for multiple zones

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Mar 9 11:27:11 UTC 2017

Hi Arun,

> the concerns of shared keys were also about the practical side:
> - should the keys be rolled over at the same time for all zones?

Zones will share keys but they need not be in phase. So in general when
having multiple zones with shared keys you have 2 keys instead of one.
Some of the zones use the newest key, some of them still use the old
(because they haven't rolled yet).

> - introducing new zones - does it really use the active shared key for
> signing a new zones especially when the key is supposed to be dead,
> based on an old zone policy?

When adding a new zone (idem for just rolling a key on an existing zone)
the enforcer will find the most recent key in use for that policy.
However if it deems the key to old (it is about to be rolled) it will
generate a new key. Existing zones rolling at a later time will then
roll to this new key.

So you won't see all your zones rolling at once (unless you added them
all at once). Nor will the rolling of zone A be blocked by zone B. Keys
being used longer than 1/2 their lifetime will not be considered a
candidate to roll to. So worst case a key is used for 1.5 its KASP
configured lifetime.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20170309/01ac27f6/attachment.bin>

More information about the Opendnssec-user mailing list