[Opendnssec-develop] enforcer-ng rules need some work
Rickard Bellgrim
rickard at opendnssec.org
Tue Feb 14 08:31:29 UTC 2012
> a simple example: We have 3 ZSKs A,B,C and all signatures of every key
> are fully propagated. A has its DNSKEY propagated.
>
> 1) we swap the DNSKEY from A and B.
> 2) now we change our mind and swap the DNSKEY B with C.
>
> This is still okay, validators have either [A|B|C]
> but the rules *could* conclude a chain can be build with [AC|BC]
> (instead of [ABC]) and thus prematurely stop publishing the signatures
> of one of [A|B]
>
> This potentially breaks stuff during unexpected rollovers.
>
> In my opinion this issue should be addressed before moving on to other
> release blockers. I can think of a couple solutions but so far none is
> satisfying. Also, I'm trying to track down why I believed this wasn't an
> issue any more.
You mean that the "timer" for the removal of the signatures by A will
start when B is being introduced and when we switch over to C the
timer is not reset?
The removal of the signatures by B should be treated correctly, right?
Since that "timer" is only started once we move over to C.
// Rickard
More information about the Opendnssec-develop
mailing list