[Opendnssec-user] Some glitches in OpenDNSSEC

Rickard Bellgrim rickard.bellgrim at iis.se
Fri Jul 2 09:51:48 UTC 2010


> So my original comment is still valid. You cannot remove individual
> keys from KASP database.

Ok, so the Enforcer does not remove the keys from its database when the zone is removed.

>>> - Algorithm rollover is missing? And it's not in the roadmap yet?
>> 
>> It is planned for 1.3, but the roadmap is not update. Will do that next week.
> 
> Thanks.
> 
>> Algorithm rollover is essentially like going from unsigned to signed with the new algorithm. Then at one point you decide to go unsigned with the old algorithm. The Enforcer should be able to handle multiple sets of algorithms, and also that the kasp.xml must be expanded (so that you can have multiple ksk and zsk fields)
> 
> Nope, unfortunatelly it's much more complicated. Olafur and I had a
> talk about that and you need to pre-publish the signatures before you
> publish DNSKEYs with new algorithm. Also at each time you need to have
> signatures for all RRSets with DNSKEY for each algorithm in apex. Then
> you have to be careful with DS as well (same rule applies).
> 
> Expect some mail in dnsop/dnsext soon on this topic.


If you just sign your zone at once with the new algorithm, then you have RRSIG for each algorithm.

The problem would be if you have to prepublish the DNSKEYs in the correct order. But algorithm rollover is different from key rollover.

Prepublishing is only needed when you expect that the zone should be signed with a specific algorithm. But the resolver only expects that when you have a DS pointing to this new algorithm.  You can do what ever you want before adding the DS record. So only upload the new DS when you know that the zone have propagated and that the caches have expired.

A resolver who wants to validate e.g. GOST sees the zone as unsigned until you have signed it and uploaded the new DS RR. Thus is the transition between algorithms just as signing a unsigned zone with the new algorithm, then unsigning the zone with the old algorithm after some time. 

We have another view. So expect some comments on that topic :)

// Rickard


More information about the Opendnssec-user mailing list