-
Notifications
You must be signed in to change notification settings - Fork 5
/
PROCESSES.txt
331 lines (203 loc) · 11.1 KB
/
PROCESSES.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
Description of the different processes that MuSiC will implement.
-----------------------------------------------------------------
The processes below are slightly adapted from
draft-wisser-dnssec-automation-02 and different to the first
implementation done (multi-signer-controller). There are several
observations to be made regarding the adaptions:
1. The draft is writter from the POV of a zone being under the control
of a "multi signer group" and then a signer typically joins the
group or leaves the group. Once the changes needed to deal with the
new set of signers is complete the process is done and an end state
is reached.
The model that MuSiC uses is slightly different. The assumption
here is that in the most common case the "signer group" is already
established and then one or more zones are attached to the signer
group. This triggers a set of state transitions to ensure that the
zones are correctly configured on all signers in the signer group
as well as in the parent zone.
2. The draft has a primary focus on signers entering and leaving
signer groups, i.e. the use case is primarily dealing with zones
migrating from one DNSSEC signing operator to another, with the
state where there are two or more at the same time being a
transient phase.
While this is certainly a crucial use case it is not the only
one. Another is obviously the use case where the zone owner has
made the choice to have multiple DNSSEC signer operators in an
ongoing fashion for robustness reasons (much like having multiple
DNS operators for zone publication).
When operating in a permanent process there is no "end state" and
the MuSiC management of the zone DNSSEC signers has to have an
ongoing capability prepared to deal with future upcoming events (be
it changes to the signer group membership, key rollovers or what
not).
3. In the draft there is no detailed treatment of the consequences of
new events occuring in the midst of an ongoing process. The most
obvious example is that during a synchronisation process (eg. due
to a new signer entering a group or a new zone attaching to a
signer group) a key rollover occurs for the zone in one of the
member signers.
It would obviously be convenient to simply prohibit such
events. But in reality, working with current software, it is clear
that the signers now operate under their own local signing policies
that are not subject to the needs of an external multi signer
controller.
Our current thinking is therefore that the possibility of such
events will transform the precesses from being a linear set of
state transitions to (unfortunately) have branches (i.e. forks) in
the state transition graphs. We are therefore modelling the
different processes as FSMs (Finite State Machines) where it is
possible to modify the FSM for a process by adding branches as the
understanding of the consequences of several events overlapping
with each other becomes better understood.
4. The current implementation of a process has certain quirks.
A process is described by an FSM{} structure. The most important
part of the FSM{} is the States: field, which is a
map[string]FSMState{} allowing easy lookup of the current
FSMState{} for a zone by looking up the zone "state" from the DB in
the {FSM}.States map.
The FSMState{} is very simplisitc and the only part used at present
is the "Next" field which is a map[string]FSMTransition{} with each
possible "next" state as keys in the map.
The FSMTransistion has two func (z *Zone) bool, called "criteria"
and "action" as the most important parts. Criteria is executed when
stepping the FSM (automatically or manually). If "criteria" returns
true then the zone transitions to the next state and the "action"
is executed.
At present it would be possible to more or less collapse the
FSMState{} struct to nothing and only keep the FSMTransition{} as
that's where we do things. But I suggest that we keep it for the
moment until we know if we need to associate "actions" also to
"states" and not only to "transitions".
5. In multi-signer-controller a few steps were swapped.
In joining a signer the first for multi-signer-controller were to
add ZSK for each signer to all signers, then proceed with the CDS/
CDNSKEY records.
In similar fashion, for leaving it would first remove ZSK of the
exiting signer from remaining signers and then proceed with the
CDS/CDNSKEY records.
PROCESS #1: A Signer joins the Multi-Signer group. No ZSK rollovers occur.
1. Confirm that the incoming Signer meets the prerequisites.
2. Establish a trust mechanism between the Multi-Signer group and
the Signer.
For each zone already attached to the signer group {
Zone state: SIGNERS-UNSYNCHED
3. ACTION: Add ZSK for each signer to all other Signers.
Zone state: ZSK-SYNCHED
4. ACTION: Calculate CDS/CDNSKEY Records for all KSKs/CSKs
represented in the Multi-Signer group.
Zone state: CDS-KNOWN
5. ACTION: Configure all Signers with the compiled CDS/CDNSKEY RRSET.
Zone state: CDS-SYNCHED
6. HOLD: Wait for Parent to publish the combined DS RRset.
Zone state: DS-SYNCHED
7. ACTION: Remove CDS/CDNSKEY Records from all Signers. (optional)
Zone state: CDS-REMOVED
8. HOLD: Wait maximum of DS-Wait-Time and DNSKEY-Wait-Time
9. ACTION: Compile NS RRSET including all NS records from all Signers.
Zone state: NS-KNOWN
10. ACTION: Configure all Signers with the compiled NS RRSET.
Zone state: NS-SYNCHED
11. ACTION: Compare NS RRSET of the Signers to the Parent, if
there is a difference publish CSYNC record with NS and A
and AAAA bit set on all signers.
Zone state: CSYNC-PUBLISHED *OR* jump to SIGNERS-SYNCHED (below)
12. HOLD: Wait for Parent to publish NS.
Zone state: PARENT-SYNCHED
13. Remove CSYNC record from all signers. (optional)
Zone state: SIGNERS-SYNCHED
}
PROCESS #1: A Signer joins the Multi-Signer group. A ZSK rollover occurs.
1. Confirm that the incoming Signer meets the prerequisites.
2. Establish a trust mechanism between the Multi-Signer group and
the Signer.
For each zone already attached to the signer group {
Zone state: SIGNERS-UNSYNCHED
3. ACTION: Calculate CDS/CDNSKEY Records for all KSKs/CSKs
represented in the Multi-Signer group.
Zone state: CDS-KNOWN
4. ACTION: Configure all Signers with the compiled CDS/CDNSKEY RRSET.
Zone state: CDS-SYNCHED
5. ACTION: Add ZSK for each signer to all other Signers.
Zone state: ZSK-SYNCHED
6. HOLD: Wait for Parent to publish the combined DS RRset.
Zone state: DS-SYNCHED
7. ACTION: Remove CDS/CDNSKEY Records from all Signers. (optional)
Zone state: CDS-REMOVED
8. HOLD: Wait maximum of DS-Wait-Time and DNSKEY-Wait-Time
9. ACTION: Compile NS RRSET including all NS records from all Signers.
Zone state: NS-KNOWN
10. ACTION: Configure all Signers with the compiled NS RRSET.
Zone state: NS-SYNCHED
11. ACTION: Compare NS RRSET of the Signers to the Parent, if
there is a difference publish CSYNC record with NS and A
and AAAA bit set on all signers.
Zone state: CSYNC-PUBLISHED *OR* jump to ZONE-SYNCHED (below)
12. HOLD: Wait for Parent to publish NS.
Zone state: PARENT-SYNCHED
13. Remove CSYNC record from all signers. (optional)
Zone state: SIGNERS-SYNCHED
}
PROCESS #2: A signer leaves the Multi-Signer group
For each zone already ttached to the signer group {
Zone state: SIGNERS-UNSYNCHED
0.5 ACTION: Compile NS RRSET excluding NS records unique to leaving Signer
Zone state: NS-KNOWN
1. ACTION: Remove exiting Signer's NS records from remaining Signers
Zone state: NS-SYNCHED
2. ACTION: Compare NS RRSET of the Signers to the Parent, if
there is a difference publish CSYNC record with NS and A
and AAAA bit set on remaining signers.
Zone state: CSYNC-PUBLISHED *OR* (unlikely) skip to DELEGATION-NS-SYNCHED (below)
3. HOLD: Wait for Parent to publish NS RRSET.
Zone state: DELEGATION-NS-SYNCHED
4. ACTION: Remove CSYNC record from all signers. (optional)
Zone state: DELEGATION-NS-SYNCHED-2
5. HOLD: Wait NS-Wait-Time
Zone state: DELEGATION-NS-SYNCHED-3
6. ACTION: Stop the exiting Signer from answering
queries. (This is out of scope of MUSIC)
7. ACTION: Calculate CDS/CDNSKEY Records for KSKs/CSKs published by the
remaining Signers.
Zone state: CDS-KNOWN
8. ACTION: Configure remaining Signers with the compiled CDS/CDNSKEY RRSET.
Zone state: CDS-SYNCHED
9. ACTION: Remove ZSK of the exiting Signer from remaining Signers.
Zone state: ZSK-SYNCHED
10. HOLD: Wait for Parent to publish the updated DS RRset.
Zone state: DS-SYNCHED
11. ACTION: Remove CDS/CDNSKEY set from all signers. (Optional)
Zone state: SIGNERS-SYNCHED
}
PROCESS #3: A Signer performs a ZSK rollover
1. The signer introduces the new ZSK in its own DNSKEY RRset.
2. Update all signers with the new ZSK.
3. Wait DNSKEY-Wait-Time
4. Signer can start using the new ZSK.
5. When the old ZSK is not used in any signatures by the signer, the
signer can remove the old ZSK from its DNSKEY RRset.
6. Remove ZSK from DNSKEY RRset of all signers.
PROCESS #4: A Signer performs a CSK or KSK rollover
1. Signer publishes new CSK / KSK in its own DNSKEY RRset.
2. Signer signs DNSKEY RRset with old and new CSK / KSK.
3. Calculate new CDS/CDNSKEY RRset and publish on all signers,
containing both, the old and new CSK / KSK data.
4. Wait for parent to pickup and publish new DS RR set.
5. Wait DS-Wait-Time + DNSKEY-Wait-Time
6. Signer removes old KSK from its DNSKEY RR set. And removes all
signatures done with this key.
7. Calculate new CDS/CDNSKEY RRset and publish on all signers,
containing only the new CSK / KSK data.
8. Wait for parent to pickup and publish new DS RR set.
9. Remove CDS/CDNSKEY RR sets from all signers.
PROCESS #5: Algorithm rollover for the whole Multi-Signer group.
1. All signers publish KSK and ZSK or CSK using the new algorithm.
2. All signers sign all zone data with the new keys.
3. Wait until all signers have signed all data with the new key(s).
4. Calculate new CDS/CDNSKEY RRset and publish on all signers.
5. Wait for parent to pickup and publish new DS RR set.
6. Wait DS-Wait-Time + DNSKEY-Wait-Time
7. Removes all keys and signatures which are using the old
algorithm.
8. Calculate new CDS/CDNSKEY RRset and publish on all signers.
9. Wait for parent to pickup and publish new DS RR set.
10. Remove CDS/CDNSKEY RR sets from all signers.