[Opendnssec-develop] review: Signature recycle etc.

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Oct 11 10:27:45 CEST 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 10/11/2010 08:53 AM, Rickard Bellgrim wrote:
> 
> On 6 okt 2010, at 14.57, Matthijs Mekking wrote:
> 
>> Note that this can extend the duration of a rollover for quite a bit.
>> If you don't recycle signatures of the post-publish key, resigning the
>> zone with the new key (Dsgn) takes about 1 second up to 20 minutes for a
>> TLD. If you do recycle signatures of the post-published key, Dsgn can
>> will be increased with (expiration - refresh). For example, a signature
>> validity of a month and a refresh of a day can increase Dsgn with 30 days.
>>
>> In general, it affects all ZSK rollovers, since zone data RRsets may
>> remain unchanged. Thus, it affects OpenDNSSEC ZSK rollovers.
>>
>> In OpenDNSSEC, KSK rollovers are not affected, since the
>> double-signature method changes the DNSKEY RRset, thus all existing
>> signatures must be dropped. In general, it affects pre-publish KSK
>> rollover, because the transition to making the new key active does not
>> edit the DNSKEY RRset.
> 
> I think we talked about this during the meeting, but just to make sure again: Does the Enforcer handles this for the ZSK?
> 
>> Thus, if we want to enforce speeding things up, we need a new Element in
>> the Signer Configuration. Jakob proposes <Deactivate>. If the enforcer
>> thinks it's better for this rollover that signatures of a certain key
>> are not being recycled, it can add this Element to that key.
>> (perhaps a better name would be <Unrecyclable>?).
> 
> When would you issue this command? When you know that your key has been broken?

It is not about whether a key is broken or not. It is about whether it
is desirable to speed up the rollover at a cost recycling signatures.
Currently, the enforcer does not have to implement this, because the
current implemented rollovers are not affected. However, It might become
interesting if we implement other (algorithm) rollovers. Something for
when we discuss the successor versions of the enforcer...

Best regards,

Matthijs




> 
> // Rickard
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJMssqAAAoJEA8yVCPsQCW5Gb8H/Ro5egC4J6Tup9X9siKVWjdh
oWe5p8xdCXwCEo455fFmiofG652roJ2H/3iV4ZWAdmr2u0HIy3ntOPBDETK8GuqQ
NDA+Qkl4K4I5OkhgMtCT98WBSP5gFPn+S3OfFXL2vDi09YzIBnlunwZsZocJ2EcU
zv0WICA2UzFDc/+JsfKhOvrDZjGEKSQX/snHbu6MyNE8WZcRs1toImaobdbAGNv2
kFRy0qJ0C2mv5cPdK587AahcFU1vDJCc/30yB1ylzWx1JDdr36mdQWaCNxgekAAj
BWUy6yxDY1zDWpdWkRrA8Q3tgneBa2HtM+QyN0SAAxb3Sowxlgjs2GrXRgmfxio=
=/xa7
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list