Keyset extra KSK and ZSK rolls#149
Merged
Philip-NLnetLabs merged 108 commits intomainfrom Mar 2, 2026
Merged
Conversation
Co-authored-by: Terts Diepraam <terts.diepraam@gmail.com>
- Adds KMIP server based key generation, signing and destruction, equivalent to the existing Ring/OpenSSL functionality. - Adds new kmip subcommands for managing KMIP server configurations. - Adds support for referring to KMIP keys by a new KMIP URL scheme. - Add a feature for the KMIP crypto backend just like the Ring and OpenSSL crypto backends. - Adds support for storing sensitive credentials in files separate to the KMIP server configuration.
…port to the proposed channel at packages.nlnetlabs.nl.
* Restructure roll commands. * Import public keys. * Import a public/private key pair from files. * Add a default TTL to config. Use that for DNSKEY/CDS/CDNSKEY/DS RRsets. * Cargo.lock. * Support for importing KMIP keys. * Import public/private keys in decoupled state * Add --private-key option to importing a public/private key pair from files. * Add remove-key command.
Co-authored-by: Ximon Eighteen <3304436+ximon18@users.noreply.github.com>
ximon18
reviewed
Mar 2, 2026
| /// replace the DS for the old key with one for the new key. | ||
| DoubleSignatureKskRoll, | ||
|
|
||
| /// KSK roll that first publishes an additional DS record for the new |
ximon18
reviewed
Mar 2, 2026
src/commands/keyset/cmd.rs
Outdated
| #[derive(Clone, Debug, Default, Deserialize, Serialize)] | ||
| enum ZskRollType { | ||
| #[default] | ||
| /// Type of ZSK roll where the new ZSK is first added to the DNSKEY |
Member
There was a problem hiding this comment.
Inconsistent: In KskRollType above you don't have the leading "Type of" text.
ximon18
reviewed
Mar 2, 2026
Member
ximon18
left a comment
ximon18
left a comment
There was a problem hiding this comment.
As this PR doesn't seem to contain the logic to act on the new key roll types, but e.g. I see some existing logic relating to ZskDoubleSignatureRoll, is it the case that the logic for the additional key roll types already existed but was not selectable by the operator?
Co-authored-by: Ximon Eighteen <3304436+ximon18@users.noreply.github.com>
Member
Author
|
Yes, all of the logic is in domain. The only code needed here is the config settings to select which roll variants to use. |
ximon18
approved these changes
Mar 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #154.