[Opendnssec-user] OpenDNSSEC, signing in two locations

Sebastian Castro sebastian at nzrs.net.nz
Thu Aug 26 05:29:10 UTC 2010


Hi,

Some time ago I started a thread in a DNSSEC mailing list asking about
signing a zone in two different locations, and which considerations I
should take[1]. My intention was to create identical signed zone in
different locations.

Currently OpenDNSSEC can't do that because the inception date depends on
the time the data is being signed, and the expiration date depends on a
random jitter. So, to ensure the signatures have equal
inception/expiration, you need to remove the time/randomness dependencies.

I've worked in the following solution using version 1.1.0

- inception doesn't depend on the current time, but in the current hour.
That criteria can be changed to round the time to certain unit of time.

- expiration still uses a jitter, but is not a uniformly distributed
random variable, but a step function that takes as input the RRset label
and returns a value between [0, 2*JITTER]. By using this, you make the
jitter to depend on the label. Initially I tested using the relative
number of the RRset within the zone, but if you provide zones with equal
content but different order, the signatures won't be the same.

Recently I updated to 1.1.2 and previous patch were not usable directly,
so I rewrote and tested.

Using two boxes running the same patched version of OpenDNSSEC, with the
same KASP, keys and state (files in /var/opendnssec/tmp), from the same
input zone we generated the same signed zone in both boxes. The signing
process started with a two-minute difference and even one of the signing
boxes took double the time to finish the signing.

The distribution of the signature expiration date is still good, but not
perfect. That depends on the quality of the hash function used to
calculate the jitter. I'm attaching a graph with expiration distribution
of my test zone.

CAVEATS:
- the signing process has to start in the same hour.
- the current jitter generation behavior is hard-coded, including the
unit of time used to round down the inception time. It seems reasonable,
if the feature is approved, to make changes to the kasp.xml to signal
which mechanism use to generate jitter.

TODO
- Test with more and bigger zones. My test zone has 50,000 records.


I hoping to generate some discussion about the correctness of the
solution. The corresponding patches are attached.

cheers,

[1]
http://dnssec-deployment.org/pipermail/dnssec-deployment/2010-February/003653.html
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
-------------- next part --------------
A non-text attachment was scrubbed...
Name: step-jitter.patch
Type: text/x-patch
Size: 4372 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100826/4a8e18b8/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature-expiration.png
Type: image/png
Size: 26190 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20100826/4a8e18b8/attachment.png>


More information about the Opendnssec-user mailing list