Maik Zumstrull wrote: [key rollover]
> The basic logic per zone is: > > Disable any expired ZSKs > Make sure there is an active ZSK > If we already have a fresh spare key, enable it > Otherwise, create a fresh and immediately active key > If the active ZSK will expire soon, create a spare key These last two lines implicate another question: Is there any possibility to influence the source of random used by pdns to create keys? On a server, typically there is not much in /dev/random as there are typically no user interactions, and if you issue a hidden primary for DNSSECing your zones there is even less IO or other random things that happen on machines to fill the pool. Perhaps a question for everybody.. How do make yure you have enough *good* random for (frequent) key generation for (many) different zones? Same KSK/ZSK for all deployed zones to reduce the amount of random cyclically needed? Write a script to query random.org? Invest $BIGBUCKS to purchase expensive TRNG-Hardware? Use /dev/urandom instead? o.O Sebastian -- baboo _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
