[Opendnssec-develop] review: Signature recycle etc.

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Oct 6 12:57:58 UTC 2010

Hash: SHA1


I have now implemented the rules as described on the wiki, with the
exception of Deactivate.

So, existing signatures will be dropped if:
- - Or Refresh is disabled (refresh value is 0)
- - Or The RRset has changed
- - Or The RRSIG inception has not yet passed
- - Or The RRSIG expiration minus Refresh has passed
- - Or The RRSIG is created by a key not present in the signconf

If signatures have been recycled, we'll check if the RRset is signed by
all known algorithms. If the RRset is not yet signed with this
algorithm, it is signed with all active keys of that algorithm.

Note that this can extend the duration of a rollover for quite a bit.
If you don't recycle signatures of the post-publish key, resigning the
zone with the new key (Dsgn) takes about 1 second up to 20 minutes for a
TLD. If you do recycle signatures of the post-published key, Dsgn can
will be increased with (expiration - refresh). For example, a signature
validity of a month and a refresh of a day can increase Dsgn with 30 days.

In general, it affects all ZSK rollovers, since zone data RRsets may
remain unchanged. Thus, it affects OpenDNSSEC ZSK rollovers.

In OpenDNSSEC, KSK rollovers are not affected, since the
double-signature method changes the DNSKEY RRset, thus all existing
signatures must be dropped. In general, it affects pre-publish KSK
rollover, because the transition to making the new key active does not
edit the DNSKEY RRset.

Thus, if we want to enforce speeding things up, we need a new Element in
the Signer Configuration. Jakob proposes <Deactivate>. If the enforcer
thinks it's better for this rollover that signatures of a certain key
are not being recycled, it can add this Element to that key.
(perhaps a better name would be <Unrecyclable>?).

Best regards,


On 09/29/2010 02:48 PM, Jakob Schlyter wrote:
> please review http://trac.opendnssec.org/wiki/Signer/Signatures.
> 	j
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-develop mailing list