[Opendnssec-develop] enforcer-ng rules need some work
Yuri Schaeffer
yuri at nlnetlabs.nl
Tue Feb 14 09:07:20 UTC 2012
> You mean that the "timer" for the removal of the signatures by A will
> start when B is being introduced and when we switch over to C the
> timer is not reset?
No because, there is no such timer, and it is not a timing issue. It is
a dependency issue. Having "a good ZSK" could rely on n keys. The
current rules just cover the 1 and 2 case. If we want to support the >2
case we also must include an ordering in keys.
> The removal of the signatures by B should be treated correctly, right?
> Since that "timer" is only started once we move over to C.
No. the system could now conclude only A and C are needed for a proper
ZSK. Thus the signatures of B are no longer necessary even though the
dnskey is still out in the wild.
This is a problem, since there could be caches with only B in the dnskeyset.
Matthijs and I had a couple of lengthy discussions and believe we have
found a elegant and fitting solution yesterday.
The idea is simple. Let A,B,C be records of different keys. If A can go
to Unretentive only because B is in Rumoured. We administer a relation
between A and B. B cannot go to Unretentive as long as A relies on it.
Having C in Rumoured enables B to go to Unretentive anyway as long as we
administer a relation between B and C. Now, declaring that relation
transitive we can derive that A relies on B AND C.
The notation is a bit harder, I'm still working on that. We have one
that covers everything. But I am not convinced (yet) that it isn't a
complex way of saying something simple. I'll post it here later today.
--
Yuri Schaeffer
NLnet Labs
http://www.nlnetlabs.nl
More information about the Opendnssec-develop
mailing list