[Opendnssec-user] ODS 2.14, double signatures during ZSK rollover

Havard Eidnes he at uninett.no
Thu Feb 27 14:52:01 UTC 2020


picking up on an "inner" comment from earlier in the discussion:

>> On 15/01/2020 08.49, Erik P. Ostlyngen via Opendnssec-user wrote:
>>> On 14/01/2020 10.00, Berry A.W. van Halderen via Opendnssec-user
>>>  wrote:
>>>> Dear Erik,
>>>> It will also depend on the TTL of your keyset.  The old 
>>>> signatures need to be around for at least that time period plus
>>>> some more.

This is, as I understand it, so that cached DNSKEY keysets "out
there" can be used to validate the signature on newly looked up
data, so it's understandable that the old signatures need to stay
published in the signed zone file for a while, until the new ZSK
has been picked up by all (well-behaving) recursive resolvers.

>>>> The ods-enforcer key list command by default only 
>>>> gives out information whether a key is active or not, not the 
>>>> real underlying status of the key presence as seen on the 
>>>> internet.  If you add the flag -d to the command it will
>>>> output a more extended interpretation with amoungst others
>>>> whether a key is rumoured (active but not seen by everyone yet)
>>>> or omnipresent (everyone should know about it). Only in that
>>>> latter state an old signature will be dropped when a new
>>>> signature is generated.

However, does it make sense to generate new signatures using the
new ZSK while it is still in this "rumoured" state?  Or is that
in fact being done?  If you avoid doing that, but instead wait
till the new ZSK is in "omnipresent" state, can't OpenDNSSEC then
simpl replace the old signatures with new signatures using the
new ZSK instead of first adding the new ones before at a much
later date remove the signatures done with the old ZSK, thereby
avoiding the observed zone bloat?

Best regards,

- Håvard

More information about the Opendnssec-user mailing list