[Pdns-users] New Diff for slight changes

[Craig Whitmore]

Over the last week I have been implementing the Roll over of the keys on my
test system and found a few issues. If you want to roll over a KSK you have
to add a new one , then tell your upstream the new DS's and then after a
while delete the old one..  When you use add-zone-key it sets it to activate
initially which I don't want to do.

Following RFC -4641 on how the roll overs work.

I want to with KSK's when I want to roll over
* Add a new KSK
* Increase Serial
* Tell Upstream I have 2 new DS's (so they have 4)
* Wait until TTL expires
* Activate NEW KSK
* Deactivate New KSK
* Delete old DS's from Upstream  (so they have 2 again)
* Wait Until TTL Expires
* Delete OLD KSK
* Repeat each time for KSK rollover
For a ZSK roll over I (as there are 2 added initially 1 active and 1
deactive)
* Set Deactivated Key to Active
* Set OLD Activated Key to Deactivated
* Delete OLD Key
* Add a New Key set to Deactivated
* Repeat Each time for
Also with disable-dnssec you really do want to delete the old keys as they
will be no use to anyone and if you enable again if stuff everything up

So my patch. (patch against 2216)
* Fixes Formatting of displaying pdnssec usage
* Checks Usage of commands so no seg faults when typing incorrect number of
argeuments
* Removes the Keys when you disable-dnssec instead of leaving them there
* When adding a new Key it does not activate it as you don't want to do this
normally
Comments? Or am I reading the RFC's wrongly on how you should do a roll over
and how powerdnssec implements it?




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20110617/e1b5648d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pdnssec.cc.diff
Type: application/octet-stream
Size: 10350 bytes
Desc: not available
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20110617/e1b5648d/attachment.obj>