Hi Rickard,
Am 01.12.2011 15:48, schrieb Rickard Bellgrim:
What I would do is to add the emergency DNSKEY as a normal RR in the
plain zone, because OpenDNSSEC doesn't need to maintain its state as a
key.
Then, in case of a rollover, it should be a matter of adding a new
keystore with SoftHSM.
You just add the DNSKEY of the emergency ZSK in the unsigned zone.
Perfect.
And add a DS of the emergency KSK to the parent zone. But the DS could be
added later if you feel that you have time for that. You also need to use
> the same algorithm. If not, then it would be an algorithm rollover
which is not handled in this way.
Yes, all our keys will use the same algorithm.
Thanks,
Michael
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
