[Opendnssec-develop] Enforcer engine
Yuri Schaeffer
yuri at nlnetlabs.nl
Wed Jun 22 09:37:18 UTC 2011
> * The key "i" in the rules indicates all keys, right?
The subscript i indicates the current key which we try to bring to the
next state. It is true we need to do this for all keys (at least once
per run).
Subscripts x, y, z indicate *some* key with the same algorithm as key i.
> * ZSK Double Signature rollover is said to be fastest. But what if
> TTL(key)=1 and TTL(sig)=3?
> ZSK Double Signature rollover: 2xMaxTTL(key,sig) = 6
> ZSK Pre-Pubplucation[sic] rollover: 2xTTL(key) + TTL(sig) = 5
Nice catch, I see you are awake. Actually I tripped over this myself
yesterday as well. As of r5239 it is corrected in the repository.
ZSK Double Signature is indeed faster. The correct Total should actually
be: TTL(key) + TTL(sig) = 4
The fast set must wait with introducing the new key till the slow set
has introduced the new key. The time gain is when the new key is
introduced for the fast set, the old key can _already_ outroduce for the
slow set.
This is the output the prototype gives for this scenario:
Records in the same order as in the document's tables.
key 0 (out) | key 1 (out) | key 2 (in) | T
----------------------------------------------------------
OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,HID,---,HID | None
OMN,OMN,OMN,--- | ---,OMN,---,OMN | ---,RUM,---,RUM | 0
OMN,OMN,OMN,--- | ---,OMN,---,UNR | ---,OMN,---,RUM | 1
OMN,OMN,OMN,--- | ---,UNR,---,UNR | ---,OMN,---,OMN | 3
OMN,OMN,OMN,--- | ---,HID,---,HID | ---,OMN,---,OMN | 4
//yuri
More information about the Opendnssec-develop
mailing list