Re: [zkt-users] automatic KSK key removal before DS

Thu, 23 Feb 2012 15:45:34 -0800 



I am trying to use   zkt-keyman -1  domain.dd   to initiate
semi-automatic KSK rollover, then after the propagation of the new key

Ok, this means you have to initiate every step manually!


ZKT switches
to KSK roll phase2, this is when admin needs to post new DS record to
parent, after that ZKT automatically switches to phase3 and removes old KSK.
If phase3 is done autmatically then this is a bug, or you are using zkt in a hierachical way with automated KSK rollover in place.
Could you pleace give me some insight if the parent is hosted by the same server and under control of zkt? Maybe this leads zkt-signer to take over your manually started KSK rollover. 


I think this is a problem in case admin did not send a new DS to a
parent zone and in phase3 the active key has been removed. Then parent

Yes, for sure, this is a problem.


zone will contain a DS record of the old KSK and zone will contain the
new KSK and zone will become bogous.
Maybe phase3 also should be called manually with zkt-keyman 3 domain.dd. ?

Yes, if it is started manually, all must be done manually.



Here are the logs -

2012-02-23 08:30:01.088: debug: kskrollover: we are in state 2 and
waiting for parent propagation (parentfile 7200sec<  parentprop 300sec +
parentkeyttl 7200sec
2012-02-23 08:36:01.663: debug: kskrollover: remove parentfile and
rename old key to kdomain.dd.+008+30177.key
2012-02-23 08:36:01.663: info: "domain.dd.": kskrollover phase3: Remove
old key 30177
Thanks for the hint. I will look into the code to see if it is possible to detect the manual KSK rollover in an automated envireonment. 

Best regards
 Holger

Attachment: smime.p7s
Description: S/MIME Kryptografische Unterschrift

------------------------------------------------------------------------------
Virtualization & Cloud Management Using Capacity Planning
Cloud computing makes use of virtualization - but cloud computing 
also focuses on allowing computing to be delivered as a service.
http://www.accelacomm.com/jaw/sfnl/114/51521223/
_______________________________________________
zkt-users mailing list
zkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zkt-users

Reply via email to