[Opendnssec-develop] Enforcer NG testing

Yuri Schaeffer yuri at NLnetLabs.nl
Tue Aug 30 13:33:49 UTC 2011


> Zone:                           Key role:     DS:          DNSKEY:
>  RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
> blipp.com                       KSK           omnipresent  omnipresent
>  omnipresent  NA           1    0    27d98675ec791fd63905d430df510007
> 
> Omnipresent in all fields, but the Act column is not set to 1.
> Shouldn't it be considered as active?

I think we have a lack of granularity here (and an error), due to how
the signconf _used_ to work. Formerly a published KSK implied signing
the DNSKEY set.

We should have three flags here:

published  - publish dnskey record (as is now)
active_ksk - sign dnskeyset
active_zsk - sign zone data

Currently the active flag has a different meaning depending on the role
of the key, this gets extra confusing when it is a single key signing
scheme. The Signer configuration does not have this ambiguity (anymore),
so it is an internal Enforcer problem. I will fix this.

I propose to add the extra flag to the user interface as well. But an
alternative is keep the interface and have
	active = active_ksk|active_zsk

//yuri



More information about the Opendnssec-develop mailing list