[Opendnssec-develop] enforcer-ng rules need some work

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Feb 14 08:57:17 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 02/14/2012 09:31 AM, Rickard Bellgrim wrote:
>> a simple example: We have 3 ZSKs A,B,C and all signatures of
>> every key are fully propagated. A has its DNSKEY propagated.
>> 
>> 1) we swap the DNSKEY from A and B. 2) now we change our mind and
>> swap the DNSKEY B with C.
>> 
>> This is still okay, validators have either [A|B|C] but the rules
>> *could* conclude a chain can be build with [AC|BC] (instead of
>> [ABC]) and thus prematurely stop publishing the signatures of one
>> of [A|B]
>> 
>> This potentially breaks stuff during unexpected rollovers.
>> 
>> In my opinion this issue should be addressed before moving on to
>> other release blockers. I can think of a couple solutions but so
>> far none is satisfying. Also, I'm trying to track down why I
>> believed this wasn't an issue any more.
> 
> You mean that the "timer" for the removal of the signatures by A
> will start when B is being introduced and when we switch over to C
> the timer is not reset?
> 
> The removal of the signatures by B should be treated correctly,
> right? Since that "timer" is only started once we move over to C.

That's one approach. But the issue is within the DNSSEC validity
rules, and that does not include timing, the algorithm takes care of
timing.

The DNSSEC validity rules should contain a way to define a relation to
key A and B, and B and C. This relation is transitive (so if A depends
on B and B depends on C, A depends on C).

Yuri is working on documenting this right now.

Best regards,
  Matthijs

> 
> // Rickard _______________________________________________ 
> Opendnssec-develop mailing list 
> Opendnssec-develop at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPOiHtAAoJEA8yVCPsQCW5ewIIAM0nAL0Q+b1j9y52OiYuW2/B
nwvSxwGh67TX9ytuGJVBL4kUUunSZ5i+GovVKIsOJGIWEG3f0lIinJciIhb639fT
gSvv4ZoeBO0V49l8pGmzmzBiSHL5fKHvnF/WZC+UtNacH8ISOG1NgrOEv/T6cP+f
Al2HP9n+A6humuhLRbT5YbHn9BUvBp1Dd4Y+/MzfmN+pn+8/mCNjJTs1c8DIP4zU
VQ1SDs3ng1zl+UZPQcY96yyo5LnyEK9vrY7RVDX1cPFB6vCUHIHvd+xbqDvRess5
Sk6bavFeGDuqqBBOYbUl3ekej/bxBlK4Be69b2WioRiSB+F3uX4ea/ZwUSa5KnE=
=fwH8
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list