[Opendnssec-develop] Key removal

John Dickinson jad at jadickinson.co.uk
Thu Feb 19 13:08:43 UTC 2009


On 19 Feb 2009, at 12:58, Jakob Schlyter wrote:

> On 19 feb 2009, at 13.41, John Dickinson wrote:
>
>> Stephen and I have been thinking about how the Enforcer should work.
>>
>> Initially I was thinking that the Enforcer will tell the Signer  
>> Engine which keys should be published in the zone and which should  
>> be used to sign the zone. The Enforcer would make all the decisions  
>> about which keys are in which states (generated, published, active,  
>> retired, dead and no longer published). However, I am now wondering  
>> if the Enforcer should only be concerned with the states from  
>> generated to retired and that it should be up to the signer to  
>> decide when it is OK for a key that is no longer used for new  
>> signing operations (but may have been used to generate existing  
>> signatures) to be removed from the zone.
>
> I would really like the enforcer to make all decisions regarding  
> what keys are used for signing and publication, and that we can keep  
> the signer stateless and "dumb".

It still does but since the Enforcer can not see the signed zone it  
will not "know" how the signer is doing the signing (i.e. replacing  
all RRSIG every time or just signing new stuff and expiring RRSIGS)  
and if there are any signatures remaining from an old key. Therefore  
it will have to calculate from the KASP signature parameters when it  
is safe to stop publishing the old key. Something along the lines of  
the key must continue to be published for at least signature lifetime  
+ TTLsig + clockskew (this equation is not correct, needs work and is  
what got me thinking this in the first place). This equation depends  
largely on parameters related to signatures and so I wondered if that  
indicated that it might be in the signers realm of responsibility.

However you all seem to be in agreement that the Enforcer should do it  
and I am happy with that.
John
---
John Dickinson
http://www.jadickinson.co.uk







More information about the Opendnssec-develop mailing list