[Opendnssec-develop] review: Signature recycle etc.

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Oct 6 12:57:58 UTC 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I have now implemented the rules as described on the wiki, with the
exception of Deactivate.

So, existing signatures will be dropped if:
- - Or Refresh is disabled (refresh value is 0)
- - Or The RRset has changed
- - Or The RRSIG inception has not yet passed
- - Or The RRSIG expiration minus Refresh has passed
- - Or The RRSIG is created by a key not present in the signconf

If signatures have been recycled, we'll check if the RRset is signed by
all known algorithms. If the RRset is not yet signed with this
algorithm, it is signed with all active keys of that algorithm.

Note that this can extend the duration of a rollover for quite a bit.
If you don't recycle signatures of the post-publish key, resigning the
zone with the new key (Dsgn) takes about 1 second up to 20 minutes for a
TLD. If you do recycle signatures of the post-published key, Dsgn can
will be increased with (expiration - refresh). For example, a signature
validity of a month and a refresh of a day can increase Dsgn with 30 days.

In general, it affects all ZSK rollovers, since zone data RRsets may
remain unchanged. Thus, it affects OpenDNSSEC ZSK rollovers.

In OpenDNSSEC, KSK rollovers are not affected, since the
double-signature method changes the DNSKEY RRset, thus all existing
signatures must be dropped. In general, it affects pre-publish KSK
rollover, because the transition to making the new key active does not
edit the DNSKEY RRset.

Thus, if we want to enforce speeding things up, we need a new Element in
the Signer Configuration. Jakob proposes <Deactivate>. If the enforcer
thinks it's better for this rollover that signatures of a certain key
are not being recycled, it can add this Element to that key.
(perhaps a better name would be <Unrecyclable>?).


Best regards,

Matthijs



On 09/29/2010 02:48 PM, Jakob Schlyter wrote:
> please review http://trac.opendnssec.org/wiki/Signer/Signatures.
> 
> 	j
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMrHJVAAoJEA8yVCPsQCW5PMQH/1YTRpv/rdKIgWqhglMjSn9p
tV4cvCJkt0fQwQmWgE3hsBVE5s6hZqEKhJGWYm9CLZJO3Vit9rgurknA8hsv6rmV
Oae2+N29hIrN0aATwhsE2o1kA3C8wASD/cQPSSnv6cy0ZvfI2JCruYJValcxTu8t
L8dwg98ZI4+hLOPVNwScx8666XAPMzBxsqiG3xAAna+9FLLlJbjL5WbiEHp+9gLI
K801yS2YxeXBJuGq3LdDLbZuQRTUY6+km+ozrDWhF1OuBNsijciFTi+qu8A0N6qX
VJUdd9uFHm9nPtfKPHZ+om753+pbz27dOkijiaM9hjmK+4hYlCNE1kQV6G0BqrE=
=WrDw
-----END PGP SIGNATURE-----

More information about the Opendnssec-develop mailing list