[Opendnssec-develop] Enforcer engine design v2 work breakdown

Yuri Schaeffer yuri at NLnetLabs.nl
Tue Sep 27 08:16:46 UTC 2011

>> - Figure out how the user indicates which rollover strategy it wants in
>> the kasp.xml (input request for all of you).

This issue was postponed until after the Alpha. We never made a good
decision on this, so I'd like to discuss this further.

I see 2 options:
- [A] Specify per key
- [B] Specify per policy

[A] Specify per key
This is like Matthijs' proposal. A drawback is that each type of key
KSK|ZSK|CSK has its own set of <RolloverType> values, with different
meaning. What I do like however is that the names from the literature
[1] can be used. In this option we must come up with a name for a CSK
rollover that combines ZSK:PrePublication and KSK:DoubleRRset, which
seems to be omitted in referred document. Thus we need 4 or 5 names
which denote something else depending on the key it is mentioned in.

[B] Specify per policy
There are 5 possible rollovers. If we specify per policy we need to come
up with 5 new names. On the bright side, their meaning is always consistent.

For reference I made a table. It translates the 'minimize'-flags the
enforcer internally uses to names in the key-timing-bis document.

 DS DNSKEY RRSIG | KSK [1]   | ZSK [1]   | CSK [1]   |
 0  0      0     | Dbl RRset | Dbl Sig   | Dbl RRset |
 0  0      1     | Dbl RRset | Pre Pub   | ???       |
 0  1      0     | Dbl DS    | Dbl RRSig | Dbl DS    |
 0  1      1     |    N/A    |    N/A    |    N/A    |
 1  0      0     | Dbl Sig   | Dbl Sig   | Dbl Sig   |
 1  0      1     | Dbl Sig   | Pre Pub   | Pre Pub   |
 1  1      0     |    N/A    |    N/A    |    N/A    |
 1  1      1     |    N/A    |    N/A    |    N/A    |

Three of the combinations can not be used (on a single key) as they
cause a deadlock. E.g. the 7th row requires the DNSKEY to propagate
before the DS is introduced AND it requires the DS to propagate before
the DNSKEY is introduced.
As far as I can see there can not be a conflict between 2 keys. (the
dangerous case would be a split key algorithm rollover, but I think that
will work in any case)


[1] draft-mekking-dnsop-dnssec-key-timing-bis-00

More information about the Opendnssec-develop mailing list