[Opendnssec-develop] Auditor reaction on changed policy

Alex Dalitz AlexD at nominet.org.uk
Wed Jun 2 14:51:44 UTC 2010


Hi Rick -

This has to do with the more general problem of how the auditor should behave after policy changes.

ISTM the only straightforward option is for the auditor to store some policy state (it already stores the current states of keys seen in the zone). It could then either work out that the observed situation is OK due to the change of policy, or, at the least, downgrade associated errors to warnings, and let the signed zone be published.

Thanks,


Alex.

On 02/06/2010 14:43, "Rick Zijlker" <rick.zijlker at sidn.nl> wrote:

Hey,

An interesting scenario to think about:

-         Sign zone with signature lifetime of 1200s and jitter of 10s. So lifetime varies between 1190 and 1210.

-         Change policy and set jitter to 0 so signature lifetime becomes a solid 1200s.

-         Stop engines, update database, start engines

-         At next resign, auditor fails signing the zone because some signature lifetimes are below 1200s.


Basically the auditor audits the zone with the updated policy, while the signer hasn’t touched those signatures yet because they are still valid.

I’m not sure what or if anything is wrong here, but I think it’s not appropriate that the process fails because of a changed jitter. After a while the signing will correct itself since signatures will be made by new policy, but it could mean you won’t get an updated zone for some time. Depending on your key validity.

Auditor returned: 3 on this scenario. Does that mean no signed zone output? Or just warnings?

Cheers,
Rick

________________________________
_______________________________________________
Opendnssec-develop mailing list
Opendnssec-develop at lists.opendnssec.org
https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100602/36696a11/attachment.htm>


More information about the Opendnssec-develop mailing list