[Opendnssec-develop] Key removal
jad at jadickinson.co.uk
Thu Feb 19 13:08:43 UTC 2009
On 19 Feb 2009, at 12:58, Jakob Schlyter wrote:
> On 19 feb 2009, at 13.41, John Dickinson wrote:
>> Stephen and I have been thinking about how the Enforcer should work.
>> Initially I was thinking that the Enforcer will tell the Signer
>> Engine which keys should be published in the zone and which should
>> be used to sign the zone. The Enforcer would make all the decisions
>> about which keys are in which states (generated, published, active,
>> retired, dead and no longer published). However, I am now wondering
>> if the Enforcer should only be concerned with the states from
>> generated to retired and that it should be up to the signer to
>> decide when it is OK for a key that is no longer used for new
>> signing operations (but may have been used to generate existing
>> signatures) to be removed from the zone.
> I would really like the enforcer to make all decisions regarding
> what keys are used for signing and publication, and that we can keep
> the signer stateless and "dumb".
It still does but since the Enforcer can not see the signed zone it
will not "know" how the signer is doing the signing (i.e. replacing
all RRSIG every time or just signing new stuff and expiring RRSIGS)
and if there are any signatures remaining from an old key. Therefore
it will have to calculate from the KASP signature parameters when it
is safe to stop publishing the old key. Something along the lines of
the key must continue to be published for at least signature lifetime
+ TTLsig + clockskew (this equation is not correct, needs work and is
what got me thinking this in the first place). This equation depends
largely on parameters related to signatures and so I wondered if that
indicated that it might be in the signers realm of responsibility.
However you all seem to be in agreement that the Enforcer should do it
and I am happy with that.
More information about the Opendnssec-develop