[Opendnssec-develop] Enforcer engine
Yuri Schaeffer
yuri at nlnetlabs.nl
Fri Jul 1 15:34:47 UTC 2011
Hi,
Attached 2 files.
1) updated document. Most noticeably a refinement of the rules which now
reflect the prototype implementation. It is now (for me) much more clear
why and how it works. I've tried to write that down in section 7. Also I
added some set symbols to make the notation more natural and changed the
letters of the records to something easy to remember.
D = ds record
K = dnskey record
k = rrsig dnskey record
S = rrsig record.
2) direct output from my prototype for some rollovers.
each table row is a timestep. Each column a record and each group of
columns a key. from left to right D,K,k,S. '---' denotes the key has no
such record. In brackets whether the key want to (in) or (out)roduce.
TTL(D) = 11
TTL(K,k) = 1
TTL(S) = 3
You are welcome to review the correctness of the rollovers.
//yuri
-------------- next part --------------
A non-text attachment was scrubbed...
Name: enforcer_rules.pdf
Type: application/pdf
Size: 224405 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20110701/3d8e35da/attachment.pdf>
-------------- next part --------------
zsk roll
key 0 (out) | key 1 (out) | key 2 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,HID | None
OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,RUM,---,RUM | 0
OMN,OMN,OMN,--- | ---,OMN,---,UNR | ---,OMN,---,RUM | 1
OMN,OMN,OMN,--- | ---,UNR,---,UNR | ---,OMN,---,OMN | 3
OMN,OMN,OMN,--- | ---,HID,---,HID | ---,OMN,---,OMN | 4
zsk roll minkey
key 3 (out) | key 4 (out) | key 5 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,HID | None
OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,RUM | 0
OMN,OMN,OMN,--- | ---,UNR,---,OMN | ---,RUM,---,OMN | 3
OMN,OMN,OMN,--- | ---,HID,---,UNR | ---,OMN,---,OMN | 4
OMN,OMN,OMN,--- | ---,HID,---,HID | ---,OMN,---,OMN | 7
zsk roll minsig
key 6 (out) | key 7 (out) | key 8 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,HID | None
OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,RUM,---,HID | 0
OMN,OMN,OMN,--- | ---,OMN,---,UNR | ---,OMN,---,RUM | 1
OMN,OMN,OMN,--- | ---,UNR,---,HID | ---,OMN,---,OMN | 4
OMN,OMN,OMN,--- | ---,HID,---,HID | ---,OMN,---,OMN | 5
Ksk roll
key 9 (out) | key 10 (in) | key 11 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | HID,HID,HID,--- | ---,OMN,---,OMN | None
OMN,OMN,OMN,--- | RUM,RUM,RUM,--- | ---,OMN,---,OMN | 0
UNR,OMN,OMN,--- | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 1
UNR,UNR,UNR,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 11
HID,HID,HID,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12
Ksk roll minkey
key 12 (out) | key 13 (in) | key 14 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | HID,HID,HID,--- | ---,OMN,---,OMN | None
OMN,OMN,OMN,--- | RUM,HID,HID,--- | ---,OMN,---,OMN | 0
OMN,UNR,UNR,--- | OMN,RUM,RUM,--- | ---,OMN,---,OMN | 11
UNR,HID,HID,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12
HID,HID,HID,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 23
Ksk roll minds
key 15 (out) | key 16 (in) | key 17 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | HID,HID,HID,--- | ---,OMN,---,OMN | None
OMN,OMN,OMN,--- | HID,RUM,RUM,--- | ---,OMN,---,OMN | 0
UNR,OMN,OMN,--- | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 1
HID,UNR,UNR,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12
HID,HID,HID,--- | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 13
split roll
key 18 (out) | key 19 (out) | key 20 (in) | key 21 (in) | T
-----------------+-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,--- | ---,HID,---,HID | None
OMN,OMN,OMN,--- | ---,OMN,---,OMN | RUM,RUM,RUM,--- | ---,RUM,---,RUM | 0
UNR,OMN,OMN,--- | ---,OMN,---,UNR | RUM,OMN,OMN,--- | ---,OMN,---,RUM | 1
UNR,OMN,OMN,--- | ---,UNR,---,UNR | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 3
UNR,OMN,OMN,--- | ---,HID,---,HID | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4
UNR,UNR,UNR,--- | ---,HID,---,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 11
HID,HID,HID,--- | ---,HID,---,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12
split roll diff alg
key 22 (out) | key 23 (out) | key 24 (in) | key 25 (in) | T
-----------------+-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,--- | ---,HID,---,HID | None
OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,--- | ---,HID,---,RUM | 0
OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,RUM,RUM,--- | ---,RUM,---,OMN | 3
UNR,OMN,OMN,--- | ---,OMN,---,OMN | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4
HID,UNR,UNR,--- | ---,UNR,---,OMN | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 15
HID,HID,HID,--- | ---,HID,---,UNR | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 16
HID,HID,HID,--- | ---,HID,---,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 19
csk roll
key 26 (out) | key 27 (in) | T
-----------------+-----------------+------
OMN,OMN,OMN,OMN | HID,HID,HID,HID | None
OMN,OMN,OMN,OMN | RUM,RUM,RUM,RUM | 0
UNR,OMN,OMN,UNR | RUM,OMN,OMN,RUM | 1
UNR,OMN,OMN,UNR | RUM,OMN,OMN,OMN | 3
UNR,OMN,OMN,HID | RUM,OMN,OMN,OMN | 4
UNR,UNR,UNR,HID | OMN,OMN,OMN,OMN | 11
HID,HID,HID,HID | OMN,OMN,OMN,OMN | 12
csk roll diff alg
key 28 (out) | key 29 (in) | T
-----------------+-----------------+------
OMN,OMN,OMN,OMN | HID,HID,HID,HID | None
OMN,OMN,OMN,OMN | HID,HID,HID,RUM | 0
OMN,OMN,OMN,OMN | HID,RUM,RUM,OMN | 3
UNR,OMN,OMN,OMN | RUM,OMN,OMN,OMN | 4
HID,UNR,UNR,OMN | OMN,OMN,OMN,OMN | 15
HID,HID,HID,UNR | OMN,OMN,OMN,OMN | 16
HID,HID,HID,HID | OMN,OMN,OMN,OMN | 19
csk roll to split
key 30 (out) | key 31 (in) | key 32 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,OMN | HID,HID,HID,--- | ---,HID,---,HID | None
OMN,OMN,OMN,OMN | RUM,RUM,RUM,--- | ---,RUM,---,RUM | 0
UNR,OMN,OMN,UNR | RUM,OMN,OMN,--- | ---,OMN,---,RUM | 1
UNR,OMN,OMN,UNR | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 3
UNR,OMN,OMN,HID | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4
UNR,UNR,UNR,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 11
HID,HID,HID,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 12
csk roll to split diff alg
key 33 (out) | key 34 (in) | key 35 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,OMN | HID,HID,HID,--- | ---,HID,---,HID | None
OMN,OMN,OMN,OMN | HID,HID,HID,--- | ---,HID,---,RUM | 0
OMN,OMN,OMN,OMN | HID,RUM,RUM,--- | ---,RUM,---,OMN | 3
UNR,OMN,OMN,OMN | RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4
HID,UNR,UNR,OMN | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 15
HID,HID,HID,UNR | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 16
HID,HID,HID,HID | OMN,OMN,OMN,--- | ---,OMN,---,OMN | 19
split roll to csk
key 36 (out) | key 37 (out) | key 38 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,HID | None
OMN,OMN,OMN,--- | ---,OMN,---,OMN | RUM,RUM,RUM,RUM | 0
UNR,OMN,OMN,--- | ---,OMN,---,UNR | RUM,OMN,OMN,RUM | 1
UNR,OMN,OMN,--- | ---,UNR,---,UNR | RUM,OMN,OMN,OMN | 3
UNR,OMN,OMN,--- | ---,HID,---,HID | RUM,OMN,OMN,OMN | 4
UNR,UNR,UNR,--- | ---,HID,---,HID | OMN,OMN,OMN,OMN | 11
HID,HID,HID,--- | ---,HID,---,HID | OMN,OMN,OMN,OMN | 12
split roll to csk diff alg
key 39 (out) | key 40 (out) | key 41 (in) | T
-----------------+-----------------+-----------------+------
OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,HID | None
OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,HID,HID,RUM | 0
OMN,OMN,OMN,--- | ---,OMN,---,OMN | HID,RUM,RUM,OMN | 3
UNR,OMN,OMN,--- | ---,OMN,---,OMN | RUM,OMN,OMN,OMN | 4
HID,UNR,UNR,--- | ---,UNR,---,OMN | OMN,OMN,OMN,OMN | 15
HID,HID,HID,--- | ---,HID,---,UNR | OMN,OMN,OMN,OMN | 16
HID,HID,HID,--- | ---,HID,---,HID | OMN,OMN,OMN,OMN | 19
unsigned to signed split
key 42 (in) | key 43 (in) | T
-----------------+-----------------+------
HID,HID,HID,--- | ---,HID,---,HID | None
HID,HID,HID,--- | ---,HID,---,RUM | 0
HID,RUM,RUM,--- | ---,RUM,---,OMN | 3
RUM,OMN,OMN,--- | ---,OMN,---,OMN | 4
OMN,OMN,OMN,--- | ---,OMN,---,OMN | 15
unsigned to signed csk
key 44 (in) | T
-----------------+------
HID,HID,HID,HID | None
HID,HID,HID,RUM | 0
HID,RUM,RUM,OMN | 3
RUM,OMN,OMN,OMN | 4
OMN,OMN,OMN,OMN | 15
signed csk to unsigned
key 45 (out) | T
-----------------+------
OMN,OMN,OMN,OMN | None
UNR,OMN,OMN,OMN | 0
HID,UNR,UNR,OMN | 11
HID,HID,HID,UNR | 12
HID,HID,HID,HID | 15
More information about the Opendnssec-develop
mailing list