See: NLnetLabs/domain#491
This will power the missing "Key Manager" component in the nameshed demo which will be responsible for generating keys and indicating which actions should be taken by the signer using which keys. It should also shield the signer from needing the KSK private key as it generates RRSIGs for apex records itself, the signer should only need the ZSK private key.
Initially invocation will be via command line execution of the new dnst keyset command, possibly also with monitoring of the generated .state files (one per zone) for changes and use of the domain library code to inspect the .state file for pending actions.
Details to be worked out.
See: NLnetLabs/domain#491
This will power the missing "Key Manager" component in the nameshed demo which will be responsible for generating keys and indicating which actions should be taken by the signer using which keys. It should also shield the signer from needing the KSK private key as it generates RRSIGs for apex records itself, the signer should only need the ZSK private key.
Initially invocation will be via command line execution of the new
dnst keysetcommand, possibly also with monitoring of the generated.statefiles (one per zone) for changes and use of thedomainlibrary code to inspect the.statefile for pending actions.Details to be worked out.