[Opendnssec-develop] Auditor reaction on changed policy

Rick Zijlker rick.zijlker at sidn.nl
Wed Jun 2 13:43:29 UTC 2010


Hey,

An interesting scenario to think about:


-          Sign zone with signature lifetime of 1200s and jitter of 10s. So lifetime varies between 1190 and 1210.

-          Change policy and set jitter to 0 so signature lifetime becomes a solid 1200s.

-          Stop engines, update database, start engines

-          At next resign, auditor fails signing the zone because some signature lifetimes are below 1200s.

Basically the auditor audits the zone with the updated policy, while the signer hasn't touched those signatures yet because they are still valid.

I'm not sure what or if anything is wrong here, but I think it's not appropriate that the process fails because of a changed jitter. After a while the signing will correct itself since signatures will be made by new policy, but it could mean you won't get an updated zone for some time. Depending on your key validity.

Auditor returned: 3 on this scenario. Does that mean no signed zone output? Or just warnings?

Cheers,
Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100602/230b3f4b/attachment.htm>


More information about the Opendnssec-develop mailing list