In message <4aaf6094.3090...@hznet.de>, Holger Zuleger writes: > > > Mark Andrews wrote: > > In message <a06240800c6d44242f...@[10.31.200.153]>, Edward Lewis writes: > >> At 14:45 -0400 9/14/09, David Blacka wrote: > >> > >>> I think it works to simply say this: > >>> > >>> * The ITAR should be checked for changes once per 24 hour period. > >>> > >>> Then: > >>> > >>> * consumers (e.g., dlv.isc.org, me) will know to check at least > >>> once per day; > >>> * TLD operators would know to pre-publish the new DS at least 24 hours > >>> before doing the KSK roll. > >> Plus an allowance for TTLs. > >> > >> It's a bit more complicated I think, unless I missed a fine point in > >> the message. > >> > >> To nit pick: "TLD operators would know to pre-publish the new DS" is > >> incorrect per se - the DS set for a zone is authoritative at the > >> parent. > >> > >> When I want to change a SEP, first I plan to have it in my DNSKEY set > >> for a long enough period to satisfy at least RFC 5011 and the time it > >> takes for all caches to time out all DNSKEY set versions prior to the > >> new SEP-to-be. > > > > Iff the zone being managed according to RFC5011. RFC5011 is not > > required for zones that that have a secure parent. > > > > RFC 5011 is a real pain and unless you have a reason to use it I > > would not recommend saying you are following RFC 5011. > > > > With a secure parent there are several different strategies that > > can be used to roll a DNSKEY cleanly. > > > > Add the new DNSKEY. Add the new DS to the parent zone. Wait for > > both the old DS and DNSKEY RRsets to expire from caches. Remove > > the old DS and the old DNSKEY. > > > > Add new DNSKEY, wait DNSKEY TTL, replace old DS with new DS, wait > > DS ttl, remove old DNSKEY. > To nit pick again: wait *old* DS ttl. > The problem here is that you don't know the exact point in time, when > the new DS is published by the parent. The timer starts when *all* the > authoritative servers of the parent zone publish the new DS record. > > For sure, you can dig for the new DS, but in the world of anycast name > servers you can't be sure that the DS is distributed to all of them.
If you are going to be that picky then it is old expire + old DS ttl after the serial has changed to allow all stealth slaves to have caught up or to have stop serving the zone hoping there isn't a loop in the zone transfer graph or they are all transfering from the primary master because no-one wanted the EDNS EXPIRE option that would have addressed that issue. > > Generate DNSKEY, publish new DS, wait DS ttl, replace DNSKEY, wait > > DNSKEY ttl, remove old DS. ** This is not compatible with how ITAR > > is defined to work. > > > > Note all of these have a wait "DS ttl" after the new DS is published. > > Consumers of ITAR need to update in this window. > > > >> Next I add the new SEP signature to the DNSKEY set and ask the parent > >> to change the DS record in my DS RRSet. Change means take out the > >> old and put in the new (per algorithm/etc.). I don't remove anything > >> at this point. > > > > You will break validators which use different caches for DNSKEY and > > DS lookups doing this. > > > >> I don't think the parent's TTL considerations matter because I am > >> placing two SEP's in to play while waiting. As soon as I see the new > >> DS record appear in the zone (and the old DS gone), I start a timer > >> based on my TTL for the DNSKEY set. Once that timer expires I > >> RFC5011-revoke the old SEP (and sign the whole key set with old and > >> new SEP key). > > > > DS ttl always come into play. You need to assume a validator can > > be using different caches to retieve the DS and DNSKEY RRsets. > > > >> According to RFC 5011 rules I then remove the old SEP and any > >> signature at the appropriate time. > >> > >>> As it is, I don't expect any TLD operator to have any idea of how > >>> long they must pre-publish, nor any consumer to know how often to > >>> poll IANA for any changes. > >> Polling is suboptimal when an event is anticipated but it is a good > >> catch all to avoid missing an event notification. > >> > >> -- > >> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > - > >> Edward Lewis > >> NeuStar You can leave a voice message at +1-571-434-546 > 8 > >> > >> As with IPv6, the problem with the deployment of frictionless surfaces is > >> that they're not getting traction. > >> _______________________________________________ > >> DNSOP mailing list > >> DNSOP@ietf.org > >> https://www.ietf.org/mailman/listinfo/dnsop > > -- > Holger Zuleger / Zur Röderburg 6 / D-35315 Homberg/Ohm-Höingen / > xmpp:h...@jabber.hznet.de / http://www.hznet.de / tel:+49 6633 642022 -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop