[Opendnssec-develop] Signing two-faced domains

Rick van Rein rick at openfortress.nl
Tue Dec 2 20:26:16 UTC 2008

Hash: SHA1


There is one more anomaly in DNS usage patterns that I think is valuable
to discuss early in the design of OpenDNSSEC.

High-profile domains will run on multiple locations, and employ DNS to
make a quick switch from the primary location to a backup if the primary
fails.  This usually means that more than one view on a zone is valid
at the same time.  There are a few ways of supporting this under DNSSEC:

1. Publish a DS record per view.  Not likely that a zone's parent is
   going to want this though.  Parents are usually the kind of people
   that enviously try to give all children an equal treat.

2. Use the same KSK for each view on a domain.  Synchronise key roll-over
   (which is fairly trivial as the same parent is being watched for the
   same domain) and simply don't publish the backup views until they are
   needed.  This seems to be the most likely scenario.

3. Quickly update DNS and re-sign when there is a need to switch to a
   backup location.  This alternative has a few disadvantages that
   conflict with the desires at the time of primary site failure,
   namely (1) that it takes time and (2) that it uses more resources
   and is thus more likely to break during a time of crisis.

This is another reason to allow signing of multiple zones with a shared
key.  But there's another exceptional issue happening here: there may
be two or more concurrent versions of the same zone, and each will have
to be signed.  In terms of programming, the name of a SOA record cannot
be treated as an identity for a zone to sign!

A similar problem applies to multiple-view domains, such as those with
a different internal/external view.  Those are more trivial however,
as internal settings in the vicinity of the secure resolver can easily
be overridden without doing DNSSEC (at least until each desktop resolves
securely on its own).

I don't know if this has been discussed before, since we've just landed
on the list and since there's no public archive available.


Rick van Rein
OpenFortress Digital signatures

Version: GnuPG v1.4.2.2 (GNU/Linux)
Comment: New to PGP? http://openfortress.nl/doc/essay/OpenPGP/index.nl.html


More information about the Opendnssec-develop mailing list