[Opendnssec-develop] Automatic introduction of manual keys.

Matthijs Mekking matthijs at NLnetLabs.nl
Mon Oct 10 09:07:30 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/10/2011 10:56 AM, Yuri Schaeffer wrote:
> Nick noticed a difference between the two enforcer implementations which
> I like to get your opinion about.
> 
> Importing an unsigned zone, split key, with <manualRollover/> on the KSK:
> 
> Enforcer:
> Generate both keys and introduce them in the zone. This is not
> considered a rollover.
> 
> Enforcer NG:
> Introduce only the ZSK. Wait for user signal to introduce the KSK. This
> is a rollover like any other.
> 
> 
> Personally I like the new behavior, as it feels more consistent. The
> user asks not to do any automatic stuff with the KSK, so we don't.

The user asks us not to do any automatic KSK rollover. You can argue if
introducing the KSK is a rollover. I prefer to have the KSK introduced
automatically, just like the current enforcer does.

> It is possible to implement the old behavior by either:
> A) ignore manual flag if there is no KSK*
> B) ignore manual flag if there is no KSK* for this algorithm.
> * same for other type of keys
> 
> C) or maybe: As long as the zone is not properly signed ignore
> ManualRollover flag.

Option A) is how the current enforcer would work. Option B) is the same,
except it takes into account algorithm rollover (which is actually a
change of the KASP).

What do you mean with properly? Properly in the sense of DNSSEC of
properly according to the KASP?

> 
> I think the solutions A,B,C all have some unexpected behavior for the
> user in some situations. So I suggest to leave it as is.

I would like to see on of the solutions implemented.

Best regards,

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJOkrXSAAoJEA8yVCPsQCW5Nt8IAKy+R0znV4gKjX4oDv/y0L0b
pz9COsLz+N6tcDaLilnsvabDRFnHuuQS7FKQUiL67O3WnKuHdd6XHcXQoc87E91N
wCmNNlyDpq9WfmmdKVuZaAvsZo2QhrAwM0H5oup+tTxnlGghmsMgff3fblF51jVl
2S6cvs3HzC2RA7MLJndbNzfce9Lf1lY5ip4186Az0qpuexjOpkJen6Q2eS6vvu/6
/HpBVTJJoEd0bYzVRGvcdqZf9S+GzWVzLzkicp+O7+YHR0r7eEDMhvpLq6Ry+o7j
sY7g8uVMxpzn7byTwu60nAoECUuBxLHfJ7ArpjNSZbc5LdVRSKza6eStYVe9Jas=
=Yt1P
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list