On Wed, 2013-09-04 at 12:53 -0400, Dmitri Pal wrote:
> Should we treat this functionality independent from the tool?
> I am concerned with volume of the load and replication. I think it
> should be an option - single master generates keys or you can enable
> others to generate the keys and if they are enabled to generate the
> they would follow the algorithm proposed by Simo.
Having a single master generate keys is a single point of failure and
will bring down your whole infrastructure if you really use DNSSEC.
I say we cannot release DNSSEC as usable unless we have robust/redundant
My schema does not add any relevant replication traffic, keep in mind
the only keys generate are the signing keys, which are rotated once
every few months.
Simo Sorce * Red Hat, Inc * New York
Freeipa-devel mailing list