[Opendnssec-develop] Passing through signed zones
Matthijs Mekking
matthijs at nlnetlabs.nl
Fri Jun 14 06:07:51 UTC 2013
On 06/13/2013 08:57 PM, Jakob Schlyter wrote:
> On 13 jun 2013, at 17:01, Matthijs Mekking <matthijs at nlnetlabs.nl> wrote:
>
>> Correct. This does open issues when you switch from a kasp policy to
>> passthrough or vice versa, as said in the reply to Rick (think gradually
>> transition). Especially in the passing through signed zones.
>
> Unless we try to support switching from passthrough signed to non-passthrough signed, that shouldn't be a problem?
I think in all cases where you try to switch a signed zone to or from
passthrough is difficult, because you have to taken into account other
dnssec material. The simple cases are:
1. Switching from passthrough unsigned to non-passthrough unsigned:
* Switch to a policy that has no keys configured
2. Switching from passthrough unsigned to non-passthrough signed:
* Switch to a regular policy
3. Switching from non-passthrough unsigned to passthrough unsigned:
* Switch to a passthrough policy
4. Switching from non-passthrough unsigned to passthrough signed:
* Switch to a passthrough policy
The other four cases should be well documented that it breaks stuff,
unless clever things are being done.
Best regards,
Matthijs
>
> jakob
>
>
More information about the Opendnssec-develop
mailing list