[Opendnssec-develop] Enforcer: Multiple keys in same role

Yuri Schaeffer yuri at nlnetlabs.nl
Thu Jul 14 15:48:55 UTC 2011


I have finally heard of use cases for multiple keys in the same role
(politics, geeks and paranoids).

So I have been thinking about an algorithm to decide which keys to keep
and which to decommission. I propose to link keys to their policy by
role|algorithm|lifetime|repository. This information is already present
at the key, but no link to the policy is defined.

a policy may look like this (collection of KeyConfigurations):
	zsk1 (alg a1, lifetime l1, repository r)
	zsk2 (alg a2, lifetime l1, repository r)
	ksk1 (alg a1, lifetime l2, repository r)
	ksk2 (alg a2, lifetime l2, repository r)
	no csks

The algorithm looks like this:
Decommission all keys with KeyConfiguration not in Policy.
/* We toggle goal, no immediate consequences */

for each KeyConfiguration Kc:
  (not Exists key in Kc) OR (newest key in Kc is EOL)?
    decommission each key in Kc
    introduce new key

- two exact same keys are not possible. Enforcer will still work, but
outcome might be unsuspected for users (one key will be thrown away
immediately after generation).

- keys from some old KeyConfiguration will automatically outroduce. Even
if they are not end of life. This is probably what the user wants.
- Switching to an unsigned zone works as intended.

What do you think?


More information about the Opendnssec-develop mailing list