I've added some automation around signing zones. For the KSK - it has a default life of 12 month. I'm looking at having two valid KSK's running with an overlap of 6 month. This means updating dlv.isc.org every 6 months, adding a new key, removing the old key and leaving the key thats 6 months old. My system should remind me when to do this. Of course - I'm still in the first 6 month cycle - so there is only one KSK for now - so I'll only be adding a KSK next maintenance cycle. This is fine for a few domains but I agree it would be painful for many domains.
I'd like to see a system that I can tickle - so that it fetches the new KSK from me (all automated). Now that my zone is 'secure' - I could use it to distribute a public key (PGP - whatever). I still have the TXT DLV record in my zone. Just thinking out-loud - as I'm interested too. One day - I'd expect this to be built into Registry/Registrar EPP type interfaces - fine except I like to host my own DNS. On Sat, 2009-07-04 at 22:36 -0700, Shane W wrote: > Hello all, > > So I just did a KSK rollover, just to get a feel for how > it's done, updating dlv.isc.org in the process. My question > though is one of administration. When a domain rolls its > ksk, will it be necessary to manually login to a website > and paste the new keys, login again a month later and > delete the old ksk? How will this work for sites hosting > many domains? Is there some sort of standardized way as yet > to communicate key changes to an upstream zone or in this > case a lookaside provider? > > Shane -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users