[Opendnssec-develop] enforcer-ng rules need some work

[Yuri Schaeffer]

Hi,

FYI, careful review done by Wouter revealed a problem in the enforcer-ng
set of rules. We've discussed it before but somewhere during the
evolution of the model I believed it no longer to be a problem. (can't
remember why)

a simple example: We have 3 ZSKs A,B,C and all signatures of every key
are fully propagated. A has its DNSKEY propagated.

1) we swap the DNSKEY from A and B.
2) now we change our mind and swap the DNSKEY B with C.

This is still okay, validators have either [A|B|C]
but the rules *could* conclude a chain can be build with [AC|BC]
(instead of [ABC]) and thus prematurely stop publishing the signatures
of one of [A|B]

This potentially breaks stuff during unexpected rollovers.

In my opinion this issue should be addressed before moving on to other
release blockers. I can think of a couple solutions but so far none is
satisfying. Also, I'm trying to track down why I believed this wasn't an
issue any more.

//yuri

-- 
Yuri Schaeffer
NLnet Labs
http://www.nlnetlabs.nl