[Opendnssec-develop] v1.1 RC1

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Mar 31 10:07:40 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Rickard Bellgrim wrote:
> * We are still struggling with dropped signatures during key rollover.

Currently a key rollover is done this way:

1. K1[a]   ->   K1[ac], K2[p]   ->   K1[p], K2[a]   ->   K2[a]

   Where a is active and p is publish.

2. If such a change happens in the enforcer, the signer will be
   notified: ods-signer update <zone>

3. The signer will resign when there is a change in the key set.

4. Because the signer has no knowledge of key rollovers, it just follows
   orders that are given in the signconf file, it will drop all
   signatures when K1 transitions to published state. It will create all
   new signatures with K2, because it just became active.

I hear that there is a need between a smooth transition between step 2
and 3 of the key rollover process. However, this requires a new state:
'publish, but pre-generate signatures with this key if there are no
fresh signatures for current active keys, but don't publish those
signatures yet'. This will replace the publish state in the above situation.

When the old key becomes inactive (but still is post-published), I think
we should drop all old signatures, regardless of the freshness of these
signatures, as they should not be propagated anymore towards the caches.

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLsx7pAAoJEA8yVCPsQCW5hWQIAIaCeunaG3psgHE8DXhIfdq6
G2K8irCYgmGevS4NLKhEpz2AVrs7X7/ZvaT9xTPB/rC0ksp4z7r/1Jg7NQVoKrHP
+OWsFB7/x3HkezYAriAmcFwFH8Jm1/BpsBixKaVKl13RL6AlgHhYGGmdPzn39qHR
pfyzH6SgdlLHyfB6CvJm5eDtd2MkcNX0RIFcFtHob1yMPvssnYhuhWK0uIfhZ+n4
QKHvyhBHO2wbB32/yhfsnwGUXz6It/lxInkIu/YhL6vlAF3kQQ3tCojUIiPqDeW4
d59HDJfXn59XSYpmMU8k5lX65mwI1/Lss+7CBx3RyORdVQ6Xn4L02XUSq0+VbpQ=
=JPyW
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list