[Opendnssec-develop] v1.1 RC1
matthijs at NLnetLabs.nl
Wed Mar 31 10:07:40 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Rickard Bellgrim wrote:
> * We are still struggling with dropped signatures during key rollover.
Currently a key rollover is done this way:
1. K1[a] -> K1[ac], K2[p] -> K1[p], K2[a] -> K2[a]
Where a is active and p is publish.
2. If such a change happens in the enforcer, the signer will be
notified: ods-signer update <zone>
3. The signer will resign when there is a change in the key set.
4. Because the signer has no knowledge of key rollovers, it just follows
orders that are given in the signconf file, it will drop all
signatures when K1 transitions to published state. It will create all
new signatures with K2, because it just became active.
I hear that there is a need between a smooth transition between step 2
and 3 of the key rollover process. However, this requires a new state:
'publish, but pre-generate signatures with this key if there are no
fresh signatures for current active keys, but don't publish those
signatures yet'. This will replace the publish state in the above situation.
When the old key becomes inactive (but still is post-published), I think
we should drop all old signatures, regardless of the freshness of these
signatures, as they should not be propagated anymore towards the caches.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop