Hi Luveh,

what do you need to achieve in first place?

What is your configured key lifetime? "Two years worth of keys" might be just "three" for some operators ;)

Do you use `keymgr pregenerate` command to pre-generate the keys? Please note, that this feature is intended mostly for Offline KSK operation. And it pre-generates just ZSKs.

In any case, if you look at the output of `keymgr list`, you will see the "timers" of each key. This should answer the question, in which order they will be used: the lifetime phases of all the keys are already pre-planned.

Regarding Knot slowness: it is possible. Knot is programmed possibly ineffectively when handling large amount of keys. The reason is, that normally there are just few, or at most several keys in the zone.

Libor

I have been looking into the key pre-generation capability of keymgr, and the following question has come up:

Imagine I pre-generate, say, one month's worth of keys for a given zone. This zone is defined so that it will be signed automatically on bringing up the Knot server.  Next I start the Knot server.  What criteria are used in order to select the keys, among the pre-generated ones, to be used to sign this zone?

The reason I am asking is because I pre-generated two years worth of keys for a particular zone, and when I started the Knot server it took a significant amount of time selecting the appropriate keys from among the pre-generated ones.