[Opendnssec-develop] Re: [OpenDNSSEC] #13: "engine: no new signatures, keeping zone" when changing zone parameters

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Tue Sep 1 14:37:52 UTC 2009


Matthijs Mekking <matthijs at NLnetLabs.nl> wrote on 01/09/2009 13:08:47:

> > Hi,
> > 
> > Picking op this ticket. Not sure what to do.
> > 
> > The report is two-fold.
> > 
> > 1.
> > What to do if the signer engine is presented a new SignerConfiguration
> > but no new signatures need to be created. Should we keep the old zone 
or
> > should we force a new output zone?
> > 
> > In my point of view, we should only output a new zone if new 
signatures
> > where created. So, for example an increased signature refresh value 
does
> > not necessarily result in a new output zone.
> 
> Currently, it forces new signatures when a new SignerConfiguration is
> detected.

I would have thought that would be OK.  How often is the signer 
configuration likely to change once the system is in operation?



> > 2.
> > What to do when signer_engine_cli sign <zone> is called. Should we 
force
> > a new output zone or only if new signatures are created?
> > 
> > In my point of view, again, we should only output a new zone if new
> > signatures are created. If the SOA serial changed, we should only 
output
> > a new zone if the SOA/Serial is equal to "keep".
> 
> Currently, the old zone is kept if only the SOA serial changes
> (regardless of the SOA/Serial value).

I think we should force a new output zone: the user has requested that a 
signing operation be performed and so we should do it.  We could always 
add a flag to the command (or add a new command) that will only output the 
zone if new signatures are created.

However, bear in mind one special case: the OpenDNSSEC data flow is:

   Unsigned zone -> Signer -> Signed zone -> Auditor -> Nameserver

What happens if an insecure delegation is added to the unsigned zone and 
the zone is signed using NSEC3?  No new signatures (other than that for 
the updated SOA) have to be created, but signer needs to propagate the new 
information through to the nameserver.

Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090901/49219201/attachment.htm>


More information about the Opendnssec-develop mailing list