[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r4232 - home/yuri/doc/transition_rules

Yuri Schaeffer yuri at keihatsu.kirei.se
Mon Nov 29 17:12:26 CET 2010

Author: yuri
Date: 2010-11-29 17:12:25 +0100 (Mon, 29 Nov 2010)
New Revision: 4232


Modified: home/yuri/doc/transition_rules/key_states.pdf
(Binary files differ)

Modified: home/yuri/doc/transition_rules/key_states.tex
--- home/yuri/doc/transition_rules/key_states.tex	2010-11-26 15:18:47 UTC (rev 4231)
+++ home/yuri/doc/transition_rules/key_states.tex	2010-11-29 16:12:25 UTC (rev 4232)
@@ -109,6 +109,8 @@
 			The record is published but not every cache might be aware.
 			Every cache has this record.
+			Or (Section~\ref{redifined-propagated}) a
+			sibling record.
 			The record is withdrawn but some caches might still have it.
@@ -209,7 +211,7 @@
 \hskip 2cm 			\exists k' \in \mathbb{K} \cdot ( \\
 \hskip 3cm 				Alg(k') = Alg(k) \wedge \\
 \hskip 3cm 				r \in Roles(k') \wedge \\
-\hskip 3cm 				l \in ConsistentKeys \wedge \\
+\hskip 3cm 				k' \in ConsistentKeys \wedge \\
 \hskip 3cm 				r = ksk \rightarrow (\neg H(Ds(k)) \rightarrow O(Ds(k'))) \wedge \\
 \hskip 3cm 				\neg H(Dnskey(k)) \rightarrow O(Dnskey(k')) \\
 \hskip 2cm 			)\\
@@ -224,7 +226,7 @@
-Valid(\mathbb{K}) \Leftrightarrow \\
+Valid(\mathbb{K}) \equiv \\
 \hskip 1cm	\forall k \in \mathbb{K} \cdot k \in SafeKeys \wedge \\
 \hskip 1cm	\exists k \in \mathbb{K} \cdot ( \\
 \hskip 2cm		ksk \in Roles(k) \wedge \\
@@ -241,6 +243,58 @@
+\section{Additional Considerations}
+\subsection{Couple "RRSIG DNSKEY" with DNSKEY State}
+It would be better to couple the signature over the DNSKEY set with
+the state of the DNSKEY. There is really no use case to publish these
+seperately, plus they always travel simultaniously. As a consequence
+a combined key can describe to sign the data in the zone but not the
+DNSKEY set and vice versa.
+Currently for the sake of uniformity a \emph{zsk} has a DS. I propose
+to introduce a distinction between ksk, zsk, and ksk+zsk. 
+\item ksk: DS, DNSKEY
+\item zsk: DNSKEY, RRSIG
+\item ksk+zsk: DS, DNSKEY, RRSIG
+\subsection{Omnipresent Sets of Keys}
+Our model defines the cache availablility for each key related resource
+record. This intruduces a problem for the RRSG for a \emph{zsk} which
+does not represent a single record but in fact a whole collection. 
+In the simpelest situation signatures can be replaced by new signatures 
+as an atomic operation. It is also valid however to sign a subset of
+the data with one key and the rest with another key (possibly $n$ keys).
+Partial signing with multiple keys is a valid situation and a 
+feature of the current signer. This enables a smooth transition 
+between keys, with as goal to spread out the workload for a signer. 
+As enforcer we don't have information which record sets are signed 
+with which key (because we don't want to have too much state). To 
+support a smooth transition while ensuring we are maintaining a 
+valid zone, we allow a set of keys to be 
+responsible for signing. One of which should be in omnipresent state.
+If a key is part of this set it can move to the Omnipresent state for 
+free, but it adds a restriction for leaving that set.
+\subsection{5011 Hack}
+extra F state between O and S. Conditions $O\rightarrow S \equiv O\rightarrow F + F\rightarrow S$.
+O-F: set revoke bit. F-S: wait till bit propagated. 
 \section{Transition Rules}
 The transition rules are explicitly written in such a way that at 

Modified: home/yuri/doc/transition_rules/states.dot
--- home/yuri/doc/transition_rules/states.dot	2010-11-26 15:18:47 UTC (rev 4231)
+++ home/yuri/doc/transition_rules/states.dot	2010-11-29 16:12:25 UTC (rev 4232)
@@ -7,5 +7,7 @@
+    O->F->S
     R->S [ style = "dotted" ];    

Modified: home/yuri/doc/transition_rules/states.pdf
(Binary files differ)

More information about the Opendnssec-commits mailing list