19 Srp
2021
19 Srp
'21
9:15
Hi Luveh,
what do you need to achieve in first place?
What is your configured key lifetime? "Two years worth of keys" might be
just "three" for some operators ;)
Do you use `keymgr pregenerate` command to pre-generate the keys? Please
note, that this feature is intended mostly for Offline KSK operation.
And it pre-generates just ZSKs.
In any case, if you look at the output of `keymgr list`, you will see
the "timers" of each key. This should answer the question, in which
order they will be used: the lifetime phases of all the keys are already
pre-planned.
Regarding Knot slowness: it is possible. Knot is programmed possibly
ineffectively when handling large amount of keys. The reason is, that
normally there are just few, or at most several keys in the zone.
Libor
Dne 18. 08. 21 v 22:59 Luveh Keraph napsal(a):
I have been looking into the key pre-generation
capability of keymgr,
and the following question has come up:
Imagine I pre-generate, say, one month's worth of keys for a given
zone. This zone is defined so that it will be signed automatically on
bringing up the Knot server. Next I start the Knot server. What
criteria are used in order to select the keys, among the pre-generated
ones, to be used to sign this zone?
The reason I am asking is because I pre-generated two years worth of
keys for a particular zone, and when I started the Knot server it took
a significant amount of time selecting the appropriate keys from among
the pre-generated ones.