[Opendnssec-develop] review: Signature recycle etc.

Rickard Bellgrim rickard.bellgrim at iis.se
Mon Oct 11 06:53:14 UTC 2010


On 6 okt 2010, at 14.57, Matthijs Mekking wrote:

> Note that this can extend the duration of a rollover for quite a bit.
> If you don't recycle signatures of the post-publish key, resigning the
> zone with the new key (Dsgn) takes about 1 second up to 20 minutes for a
> TLD. If you do recycle signatures of the post-published key, Dsgn can
> will be increased with (expiration - refresh). For example, a signature
> validity of a month and a refresh of a day can increase Dsgn with 30 days.
> 
> In general, it affects all ZSK rollovers, since zone data RRsets may
> remain unchanged. Thus, it affects OpenDNSSEC ZSK rollovers.
> 
> In OpenDNSSEC, KSK rollovers are not affected, since the
> double-signature method changes the DNSKEY RRset, thus all existing
> signatures must be dropped. In general, it affects pre-publish KSK
> rollover, because the transition to making the new key active does not
> edit the DNSKEY RRset.

I think we talked about this during the meeting, but just to make sure again: Does the Enforcer handles this for the ZSK?

> Thus, if we want to enforce speeding things up, we need a new Element in
> the Signer Configuration. Jakob proposes <Deactivate>. If the enforcer
> thinks it's better for this rollover that signatures of a certain key
> are not being recycled, it can add this Element to that key.
> (perhaps a better name would be <Unrecyclable>?).

When would you issue this command? When you know that your key has been broken?

// Rickard




More information about the Opendnssec-develop mailing list