[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r4117 - trunk/OpenDNSSEC

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Oct 15 13:02:30 CEST 2010

Author: rb
Date: 2010-10-15 13:02:30 +0200 (Fri, 15 Oct 2010)
New Revision: 4117

We have fixed some known issues

Modified: trunk/OpenDNSSEC/KNOWN_ISSUES
--- trunk/OpenDNSSEC/KNOWN_ISSUES	2010-10-15 09:09:11 UTC (rev 4116)
+++ trunk/OpenDNSSEC/KNOWN_ISSUES	2010-10-15 11:02:30 UTC (rev 4117)
@@ -1,45 +1,11 @@
-OpenDNSSEC 1.1.0 - Known Restrictions
+OpenDNSSEC 1.2.0 - Known Restrictions
-The following are the known problems and/or restrictions of release 1.1.0 of
+The following are the known problems and/or restrictions of release 1.2.0 of
-KSK rollover requires manual timing
-OpenDNSSEC rolls a key-signing key by the double-DS pre-publication method:
-the DS record for the new zone is extracted from OpenDNSSEC and sent to the
-parent zone. After a period of time, the KSK is changed and, after a further
-interval, the DS record for the old KSK is removed from the parent.
-The sending of the DS record to the parent zone necessarily involves manual
-intervention on your part, but version 1.0.0 of OpenDNSSEC also requires that
-you manually time two intervals:
-* The time between introducing the new KSK into the zone and sending the DS
-  record to the parent.
-* Seeing the DS record in the parent zone and informing OpenDNSSEC of its
-  presence.
-Future versions of the software will remove the need for tracking the time
-between these events.
-The KSK rollover procedure is described in the OpenDNSSEC documentation.
-Key rollover and reuse of signatures
-OpenDNSSEC makes use of reusing previously created signatures. A key that is
-in active state will be used for signing. When rolling keys, keys may become
-active or inactive. At these points in key rollover, all signatures that
-correspond to a previously active key (which just became inactive) need to be
-dropped and new signatures for the new, just activated key need to be created
-from scratch. OpenDNSSEC cannot handle a smooth transition between these states.
 Limitations on Number of Zones
@@ -83,27 +49,9 @@
 call 'ods-signer update' to manually update zones
-Issue with sharing keys and adding zones
-Due to a limitation in the way we keep track of key states, adding zones to a
-system that shares keys results in the new zone not getting copies of the 
-standby KSKs.
-In general when sharing keys the user must be aware that any key will be in the
-same state for all zones. 
 Issue with rolling from one algorithm to another
 The current version will handle key rollovers that also change algorithm just the
 same as any other key rollover. This is not sufficient; and so rolling between
 algorithms is broken and should not be done with the current system.
-Quicksorter does not allow certain owner names
-If a RR owner name looks like a directive, for example, $ORIGINAL or $TTLexample, 
-the quicksorter filters them away as being incorrect directives. It will crash
-on owner names like \$ORIGIN.

More information about the Opendnssec-commits mailing list