[Opendnssec-develop] Enforcer engine design v2 work breakdown
yuri at NLnetLabs.nl
Tue Sep 27 08:16:46 UTC 2011
>> - Figure out how the user indicates which rollover strategy it wants in
>> the kasp.xml (input request for all of you).
This issue was postponed until after the Alpha. We never made a good
decision on this, so I'd like to discuss this further.
I see 2 options:
- [A] Specify per key
- [B] Specify per policy
[A] Specify per key
This is like Matthijs' proposal. A drawback is that each type of key
KSK|ZSK|CSK has its own set of <RolloverType> values, with different
meaning. What I do like however is that the names from the literature
 can be used. In this option we must come up with a name for a CSK
rollover that combines ZSK:PrePublication and KSK:DoubleRRset, which
seems to be omitted in referred document. Thus we need 4 or 5 names
which denote something else depending on the key it is mentioned in.
[B] Specify per policy
There are 5 possible rollovers. If we specify per policy we need to come
up with 5 new names. On the bright side, their meaning is always consistent.
For reference I made a table. It translates the 'minimize'-flags the
enforcer internally uses to names in the key-timing-bis document.
DS DNSKEY RRSIG | KSK  | ZSK  | CSK  |
0 0 0 | Dbl RRset | Dbl Sig | Dbl RRset |
0 0 1 | Dbl RRset | Pre Pub | ??? |
0 1 0 | Dbl DS | Dbl RRSig | Dbl DS |
0 1 1 | N/A | N/A | N/A |
1 0 0 | Dbl Sig | Dbl Sig | Dbl Sig |
1 0 1 | Dbl Sig | Pre Pub | Pre Pub |
1 1 0 | N/A | N/A | N/A |
1 1 1 | N/A | N/A | N/A |
Three of the combinations can not be used (on a single key) as they
cause a deadlock. E.g. the 7th row requires the DNSKEY to propagate
before the DS is introduced AND it requires the DS to propagate before
the DNSKEY is introduced.
As far as I can see there can not be a conflict between 2 keys. (the
dangerous case would be a split key algorithm rollover, but I think that
will work in any case)
More information about the Opendnssec-develop