[Opendnssec-develop] Deactivating old KSK

Rickard Bellgrim rickard.bellgrim at iis.se
Tue Nov 3 13:28:38 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> The problem with a fully-automated system here is that although
> OpenDNSSEC can start publishing the new KSK in the zone, it has no way
> of knowing whether the DS record has been submitted to the parent (or
> even that the KSK rollover has been noticed by the operator).
>
> I would suggest that the following requires a minimum amount of work to
> the enforcer:
>
> a) New KSK is introduced into the zone automatically and messages
> appears in the logs. (This already happens.)
> b) At some time, the new key moves into the "active" state and the old
> key into a "retire" state. In these states, both keys continue to be
> published. However, the enforcer is altered so as to set the amount of
> time the KSK stays in the "retire" state to some very large value.
> c) The operator is required to acknowledge that the DS record has
> appeared in the parent.  This new command resets the retire time of the
> KSK to:
>
>      max(TTL of record in parent zone + estimate of propagation delay
> through parent zone,
>          TTL of record in this zone + estimate of propagation delay
> through this zone) +
>          safety margin
>
> d) The old KSK is not removed until the retire time has expired.  (In
> other words, we protect the user by keeping the old KSK in the zone for
> long enough to guarantee that the old DS and DNSKEY RRsets have expired
> from all validators.)
>
> (Note that step (c) may occur before step (b), in which case step (b)
> should not reset the retire time.)

+1

So we are missing step c (and the large value part of b) in OpenDNSSEC. Which I think we need before v1.0.

Should I create a Pivotal story about this?

// Rickard

-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSvAwBuCjgaNTdVjaAQjRSgf+MOoK0cbLUJYjvoN90DVMLkKeRWnsCsCn
g+hY1Yn1Rr5A2nkM6C3YYo0mCaX54IIie6SBxjpponLBph56T/Q1d/2tmYNcuqZR
Tltmk2+GU9z/+g9rCMf8iJnJeccOwjNb9LY3za9pNXuleOy5lAbRkJGIRGPR9Uog
d2yOLhhrdZWhgUXFP/9rcJ9Z0p2mTI7X5msCI7DBURx2V3dc6Z9kKVnXcAtpczCF
/yKnO2hS53H9hlD7iTldKkKSrdv8qPYGeRFNblWsoPRpNfnzCEiglI5Tw4eVn1t4
afe22W1rgtDmDJp/GNyvA0YVpPjOBh3fHKx7izcVMRT5Ys0xbWdnkA==
=iJZ7
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20091103/96e7800e/attachment.htm>

More information about the Opendnssec-develop mailing list