[Opendnssec-user] A question about keys and such

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue Jan 26 10:10:16 UTC 2016


On 01/22/2016 07:37 AM, Gilles Massen wrote:

> On 01/21/2016 10:53 PM, Jake Zack wrote:
>> So…is it not possible to have a whack of domains use the same keys with
>> OpenDNSSEC?
> Yes, it is. You'd need the <ShareKeys/> tag in the <Keys> section of
> your policy.
> 
>> Question 2…
>> When I ran the key generate, did it attach each key to a parent zone
>> immediately?  Or is it only enforcerd that builds these relationships?
> 
> At least for 1.3.x, it does not attach keys to a zone (if you are using
> shared keys). But the keys are attached to the policy (in the database -
> not sure how you can see that using ods-ksmutil)

This remains the same for at last 2.0, keys aren't attached until
actually used, even though they are pre-generated.  This means that
other policies might "steal" generated keys for a policy.
This is something on the wish list to have a better pooling and
allocation system for keys.

>> Question 3…
>> If I copy this setup to a second machine…upon the next key rotation, can
>> I expect both machines to select the same key id’s for the new incoming key?
> 
> I'll pass on this one. In any case, if you have two machines identical
> at some point in time, you might see a drift over time in the signatures
> due to jitter. I don't know if/how this would apply to the key handling,
> but in our case I planned for regular syncing between our two machines.

For various reasons you cannot expect two machines with an identical
set-up to react the same way.  Jitter being one, but there is also a
non-deterministic behavior in which tasks execute.  When a new key
needs to be taken from the pre-generated list, this list of keys should
be considered unordered so it unknown which key will be used.

Basically, it does not make sense to run multiple copies of the
enforcer, the enforcer should not be time insentive and there is no
sensitivity of the enforcer to be out-of-order for a moment from the
stand point of keeping your zones signed.  So a hot-standby is the
best way to go for a high-availability scenario as the enforcer
concerns.

With kind regards,
Berry van Halderen




More information about the Opendnssec-user mailing list