Hi Libor,
On 31.08.22 15:52, libor.peltan wrote:
This option has been invented with first (ZSK) key roll-overs, and it
roughly means "anything that can happen between a change in key set,
and the resulting publication of newly signed zone in all
public-facing secondaries".
I oppose to the idea that this is limited to normal, fully operational
state of all the involved services.
Imagine a case when a server breaks down just after new key had been
generated, preventing any further propagation. You need to take some
action, repair your services and just after that, it takes the normal
amount of minutes to propagate the zone to public secondaries. The
signer proceeds with next key roll-over step in (propagation-delay +
DNSKEY TTL) after the key generation. If all the previous is not
covered by propagation-delay, it might happen (not probably, but
possibly) that the public secondaries receive the two updates (new key
published, and new key activated+old retired) in too close succession,
leading to possible temporary bogus at some validating resolvers.
Do you understand this scenario and agree with my thoughts?
If you describe it like that, that makes absolutely sense and I would agree.
This all suggest that we shall focus more on propagation-delay
setting, and even its default. However, if my thoughts are correct,
proper setting of propagation-delay implies that the calculated
rrsig-refresh is automatically correct. A question might follow, why
rrsig-refresh option even exists? One explanation might be, that it
has been invented first. Automatic key roll-overs are way younger than
automatic RRSIG refresh. While it's possible to calculate
rrsig-refresh from propagation-delay, it's not possible the other way.
Agreed. As to the default of this parameter, I'm not in a position to
make any suggestions though. I only know our setups and constraints, not
how over people are using knot. I would imagine this would be quite
different for someone service many more zones than we do, or single very
large zones.
It would be nice that documentation would give some guidance regarding
this setting.
Regards
André
--
