[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r4117 - trunk/OpenDNSSEC

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Oct 15 13:02:30 CEST 2010


Author: rb
Date: 2010-10-15 13:02:30 +0200 (Fri, 15 Oct 2010)
New Revision: 4117

Modified:
   trunk/OpenDNSSEC/KNOWN_ISSUES
Log:
We have fixed some known issues


Modified: trunk/OpenDNSSEC/KNOWN_ISSUES
===================================================================
--- trunk/OpenDNSSEC/KNOWN_ISSUES	2010-10-15 09:09:11 UTC (rev 4116)
+++ trunk/OpenDNSSEC/KNOWN_ISSUES	2010-10-15 11:02:30 UTC (rev 4117)
@@ -1,45 +1,11 @@
 $Id$
 
-OpenDNSSEC 1.1.0 - Known Restrictions
+OpenDNSSEC 1.2.0 - Known Restrictions
 
-The following are the known problems and/or restrictions of release 1.1.0 of
+The following are the known problems and/or restrictions of release 1.2.0 of
 OpenDNSSEC.
 
 
-KSK rollover requires manual timing
------------------------------------
-
-OpenDNSSEC rolls a key-signing key by the double-DS pre-publication method:
-the DS record for the new zone is extracted from OpenDNSSEC and sent to the
-parent zone. After a period of time, the KSK is changed and, after a further
-interval, the DS record for the old KSK is removed from the parent.
-
-The sending of the DS record to the parent zone necessarily involves manual
-intervention on your part, but version 1.0.0 of OpenDNSSEC also requires that
-you manually time two intervals:
-
-* The time between introducing the new KSK into the zone and sending the DS
-  record to the parent.
-* Seeing the DS record in the parent zone and informing OpenDNSSEC of its
-  presence.
-
-Future versions of the software will remove the need for tracking the time
-between these events.
-
-The KSK rollover procedure is described in the OpenDNSSEC documentation.
-
-
-Key rollover and reuse of signatures
-------------------------------------
-
-OpenDNSSEC makes use of reusing previously created signatures. A key that is
-in active state will be used for signing. When rolling keys, keys may become
-active or inactive. At these points in key rollover, all signatures that
-correspond to a previously active key (which just became inactive) need to be
-dropped and new signatures for the new, just activated key need to be created
-from scratch. OpenDNSSEC cannot handle a smooth transition between these states.
-
-
 Limitations on Number of Zones
 ------------------------------
 
@@ -83,27 +49,9 @@
 call 'ods-signer update' to manually update zones
 
 
-Issue with sharing keys and adding zones
-----------------------------------------
-
-Due to a limitation in the way we keep track of key states, adding zones to a
-system that shares keys results in the new zone not getting copies of the 
-standby KSKs.
-In general when sharing keys the user must be aware that any key will be in the
-same state for all zones. 
-
-
 Issue with rolling from one algorithm to another
 ------------------------------------------------
 
 The current version will handle key rollovers that also change algorithm just the
 same as any other key rollover. This is not sufficient; and so rolling between
 algorithms is broken and should not be done with the current system.
-
-
-Quicksorter does not allow certain owner names
-------------------------------------------------
-
-If a RR owner name looks like a directive, for example, $ORIGINAL or $TTLexample, 
-the quicksorter filters them away as being incorrect directives. It will crash
-on owner names like \$ORIGIN.




More information about the Opendnssec-commits mailing list