[Opendnssec-develop] Formal Key Transitions for Enforcer

Yuri Schaeffer yuri at NLnetLabs.nl
Mon Nov 15 11:46:28 UTC 2010

Hi all,

Attached [1] you will find a formal write up of key transitions. It uses
a cache-centered approach. I took the idea to unravel the key states as
Matthijs proposed and generalized it a bit more.

This system tries to maintain a valid DNSSEC configuration while moving
keys towards a goal. Algorithm/policy/etc rollovers are only implicit.
Note that this is a work in progress, it represents the current state in
my head, which changes every day.

At this point an implementation would roll the keys as quick as possible
without the zone going bogus. Additional constraints for different types
of rollovers are not yet introduced, but will be.

some features:
- Policy, key store, etc rollovers are nothing special
- Can interrupt a rollover safely at any point in time to start a new
- Hard rollovers (e.g. going to a single key AND change algorithm) are
not special cases and _should_ just work (absolutely untested at this
point though).
- easy to parallelize, there is no strict connection between policy and

René is currently writing test code to see if this could work in
practice. If so, it might form a basis for an Enforcer implementation.


[1] Hope nobody minds me posting binaries to the list...

Yuri Schaeffer
NLnet Labs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: key_states.tar.gz
Type: application/x-gzip
Size: 215272 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20101115/c65a4f1a/attachment.bin>

More information about the Opendnssec-develop mailing list