|
|
Functionality:
|
|
|
- conf: added an option for swiching manual(=none)/automatic KSK rollover; and policy options for KSK lifetime
|
|
|
- with automatic KSK rollover enabled, the server performs similar rollover like for ZSK
|
|
|
- when the parent zone's DS record will to be updated, proper CDS&CDNSKEY records will be published and one of following options apply (according to configuration):
|
|
|
* simple timeout for specified time
|
|
|
- when the parent zone's DS record will to be updated, proper CDS&CDNSKEY records will be published and one of following options apply:
|
|
|
* periodical check for DS at specified parent zone's authoritative server (if more specified, all of them must be updated)
|
|
|
* manual confirmation by user via knotc
|
|
|
- (also a warning-timeout is possible to warn the user that KSK is nearing lifetime end and parent zone handling is urgently needed)
|
|
|
- when we know that the DS is updated, we hide the CDS&CDNSKEY records and finalize the rollover
|
|
|
|
|
|
Internals:
|
|
|
- one more key state must be introduced: KEY_STATE_READY (between KEY_STATE_PUBLISHED and KEY_STATE_ACTIVE). This will be done **already as part of KASP refactoring** because of KASP db structure etc.
|
|
|
|
|
|
Issues:
|
|
|
- it is not possible to exactly handle KSK lifetime policy option, because we cannot anticipate how long the DS submition phase will take!
|
|
|
|
|
|
New configuration options:
|
|
|
- policy/ksk-automatic (issue: not homogeneous with policy/manual)
|
|
|
- policy/manage_rollover = manual | zsk_auto | full_auto (deprecates policy/manual, transition smooth)
|
|
|
- policy/ksk-lifetime
|
|
|
- policy/ksk-submission-timeout
|
|
|
- policy/ksk-submission-check [ list of server IPs ]
|
|
|
- policy/ksk-submission-warn (warning if submittion not finished in specified time)
|
|
|
- policy/ksk-submission-check (list of links to "remote" sections)
|
|
|
- (policy/ksk-submition-check-interval) - for now we just check at every zone re-sign to simplify conf |
|
|
\ No newline at end of file |