[Opendnssec-develop] Formal Key Transitions for Enforcer
yuri at NLnetLabs.nl
Mon Nov 15 11:46:28 UTC 2010
Attached  you will find a formal write up of key transitions. It uses
a cache-centered approach. I took the idea to unravel the key states as
Matthijs proposed and generalized it a bit more.
This system tries to maintain a valid DNSSEC configuration while moving
keys towards a goal. Algorithm/policy/etc rollovers are only implicit.
Note that this is a work in progress, it represents the current state in
my head, which changes every day.
At this point an implementation would roll the keys as quick as possible
without the zone going bogus. Additional constraints for different types
of rollovers are not yet introduced, but will be.
- Policy, key store, etc rollovers are nothing special
- Can interrupt a rollover safely at any point in time to start a new
- Hard rollovers (e.g. going to a single key AND change algorithm) are
not special cases and _should_ just work (absolutely untested at this
- easy to parallelize, there is no strict connection between policy and
René is currently writing test code to see if this could work in
practice. If so, it might form a basis for an Enforcer implementation.
 Hope nobody minds me posting binaries to the list...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 215272 bytes
Desc: not available
More information about the Opendnssec-develop