[Opendnssec-develop] Zone moving between operators
Antoin.Verschuren at sidn.nl
Fri Mar 27 18:01:24 UTC 2009
I agree that the number of keys used is not something we can control.
I just want to make sure that the consequences of using a single key for multiple zones are understood, and that this behavior is not the "default" or "promoted".
I agree with Roy that we can not force a policy on the use of keys, but we can have an SLA on the registry system.
The part I'm concerned about most is not the emergency key rollovers, but the regular key rollovers.
A dns-operator that has 100.000+ zones signed with a single key will have an operational issue when doing a rollover.
A wild guess from me is that the complete process of propagating a key change to the parent will take about 0,1 seconds per delegation.
That is including EPP messaging and verification, validation of the key at the child, database processing and changing the parent zone.
Changing 100.000+ zones when the key needs a rollover will then take more than 2,7 hours of processing.
We cannot justify queuing other regular requests for such a long time, even more because it exceeds the time we generate new zonefiles.
I like Jelte's idea of defining some BCP for this, but that remains only a recommendation.
My real question is if we need to safeguard such recommendation in the design of OPENDNSSEC, or that we leave it completely to the user without warnings, at the risk the user blaims the software not working properly.
Technical Policy Advisor
PO Box 5022
6802 EA Arnhem
T +31 26 3525500
F +31 26 3525505
M +31 6 23368970
E antoin.verschuren at sidn.nl
> -----Original Message-----
> From: Jelte Jansen [mailto:jelte at NLnetLabs.nl]
> Sent: Thursday, March 26, 2009 10:25 AM
> To: Antoin Verschuren
> Cc: roy at nominet.org.uk; Rick van Rein; Opendnssec-
> develop at lists.opendnssec.org; opendnssec-develop-
> bounces at lists.opendnssec.org; Matthijs Mekking
> Subject: Re: [Opendnssec-develop] Zone moving between operators
> * PGP Signed by an unknown key
> Antoin Verschuren wrote:
> > But then perhaps parents will dictate that policy.
> > My worry is that in rollovers, the keys must move to the parent.
> > Processing a giant amount of EPP messages (one per delegation) might be
> troublesome at a registry.
> > I wouldn'd want our major webhoster to use one key for all it's domains.
> Our systems simply would not be able to process the changes without impact
> on other transactions. The updates need to be spread out.
> As has been mentioned before, even if you use 1 key for each of your
> 75000 zones, and store all those keys in one place, chances are that
> you're going to need to roll 75000 keys if that location is compromised.
> > I would say one key for multiple zones is unwise.
> Unwise in general, certainly. But i think there will be valid use-cases.
> > And as a registry, I would probably forbid it in the policy.
> That's your choice. Or you could charge people with that many zones more
> A better way forward, at least for opendnssec, would imho be a way to
> spread updates to parents; i.e. an option
> 'don't-send-more-than-X-DS-records-per-Y' or something. That will affect
> other timing issues though.
> * Unknown Key
> * 0xC74E9DC5
More information about the Opendnssec-develop