Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.
- conf: added an option for swiching manual(=none)/automatic KSK rollover; and policy options for KSK lifetime
- with automatic KSK rollover enabled, the server performs similar rollover like for ZSK
- when the parent zone's DS record will to be updated, proper CDS&CDNSKEY records will be published and one of following options apply (according to configuration):
* simple timeout for specified time
* periodical check for DS at specified parent zone's authoritative server (if more specified, all of them must be updated)
* manual confirmation by user via knotc
- when we know that the DS is updated, we hide the CDS&CDNSKEY records and finalize the rollover
Internals:
- one more key state must be introduced: KEY_STATE_READY (between KEY_STATE_PUBLISHED and KEY_STATE_ACTIVE). This will be done **already as part of KASP refactoring** because of KASP db structure etc.
Issues:
- it is not possible to exactly handle KSK lifetime policy option, because we cannot anticipate how long the DS submition phase will take!
New configuration options:
- policy/ksk-automatic (issue: not homogeneous with policy/manual)
- policy/ksk-lifetime
- policy/ksk-submition-timeout
- policy/ksk-submition-check [ list of server IPs ]
- (policy/ksk-submition-check-interval) - for now we just check at every zone re-sign to simplify conf