[Opendnssec-develop] Off-by-one error and new year

Yuri Schaeffer yuri at NLnetLabs.nl
Tue Dec 27 13:29:03 UTC 2011

> So the conclusion is that there will be no post-publication of the
> DNSKEY for this signature, right?

Ah yes, this could be bad.

A resolver could end up with only the new key, and only the old signature.

1) Resolver fetches old signature
2) Enforcer tells signer to drop old DNSKEY. everything will get
resigned with new key. (This is normally the end of post-publication)
3) Resolver fetches new DNSKEY-set (with only new DNSKEY)
4) Chain of trust is broken for at most the record's TTL.

The post-publication would 'get lost' due to this error.


Yuri Schaeffer
NLnet Labs

More information about the Opendnssec-develop mailing list