[Opendnssec-develop] review: Signature recycle etc.

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Oct 11 08:27:45 UTC 2010

Hash: SHA1


On 10/11/2010 08:53 AM, Rickard Bellgrim wrote:
> On 6 okt 2010, at 14.57, Matthijs Mekking wrote:
>> Note that this can extend the duration of a rollover for quite a bit.
>> If you don't recycle signatures of the post-publish key, resigning the
>> zone with the new key (Dsgn) takes about 1 second up to 20 minutes for a
>> TLD. If you do recycle signatures of the post-published key, Dsgn can
>> will be increased with (expiration - refresh). For example, a signature
>> validity of a month and a refresh of a day can increase Dsgn with 30 days.
>> In general, it affects all ZSK rollovers, since zone data RRsets may
>> remain unchanged. Thus, it affects OpenDNSSEC ZSK rollovers.
>> In OpenDNSSEC, KSK rollovers are not affected, since the
>> double-signature method changes the DNSKEY RRset, thus all existing
>> signatures must be dropped. In general, it affects pre-publish KSK
>> rollover, because the transition to making the new key active does not
>> edit the DNSKEY RRset.
> I think we talked about this during the meeting, but just to make sure again: Does the Enforcer handles this for the ZSK?
>> Thus, if we want to enforce speeding things up, we need a new Element in
>> the Signer Configuration. Jakob proposes <Deactivate>. If the enforcer
>> thinks it's better for this rollover that signatures of a certain key
>> are not being recycled, it can add this Element to that key.
>> (perhaps a better name would be <Unrecyclable>?).
> When would you issue this command? When you know that your key has been broken?

It is not about whether a key is broken or not. It is about whether it
is desirable to speed up the rollover at a cost recycling signatures.
Currently, the enforcer does not have to implement this, because the
current implemented rollovers are not affected. However, It might become
interesting if we implement other (algorithm) rollovers. Something for
when we discuss the successor versions of the enforcer...

Best regards,


> // Rickard
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-develop mailing list