Contents: 0 ENFORCER-NG INTRODUCTION 1 HIGH-LEVEL DESIGN GOALS 2 KEY FEATURES 3 CHANGES FOR THE USER 4 TODO BEFORE FINAL RELEASE 5 FUTURE FEATURES 6 BUILDING FROM SOURCE REPOSITORY 7 ENFORCER INTERNALS 8 NEVER ASKED QUESTIONS 0 ENFORCER-NG INTRODUCTION One of the explicit design goals is to manage a large number of zones simultaneously. Together with the progressing requirements it becomes increasingly harder to satisfy them with the current Enforcer. It was agreed that a complete redesign and implementation is the best way to go for the future. Enter Enforcer NG (from here on simply called Enforcer). This document describes the highlights and differences between the two implementations as well as the state of affairs during the first alpha release. Please not that other documentation regarding the Enforcer in this release is likely not up to date and inaccurate. 1 HIGH-LEVEL DESIGN GOALS - Support for a large number of zones. The enforcer should reasonably be useable with many zones. Think order of magnitude 50.000 concurrent zones. - Allow for future rollover strategies. Provide a generic framework to implement other kinds of rollovers in the future. - Drop in replacement. Should replace the current enforcer but keep the same interface and provide migration scripts from earlier installs. 2 KEY FEATURES - Single key signing (CSK). Using a single key as both KSK and ZSK. And safely switch to or from a split key scenario. - Algorithm rollover - Policy rollover - Multiple concurrent active keys. Possibly of different algorithms. - Multiple HSM's. - Support for unsigned zones. Also dubbed pass-through or null algorithm. This also includes graceful rolling from and to a regular signed zone. - Time safe. Taking the Enforcer down has no impact on the DNSSEC validity of the managed zones. The enforcer can be started later and it will pick up where it left of (this will of course delay pending rollovers). - Command channel The enforcer includes a command channel from the user to the daemon much like the signer does. The user can interact with the daemon and inspect the current state. - Scheduling behavior The Enforcer is a daemon defining tasks for itself. These tasks have a precomputed execution time, so the enforcer can sleep completely till the next scheduled task. - Emergency rollover It is possible as a user to force the enforcer to introduce a new key at any given time ignoring the schedule. The Enforcer will then try to use that key as soon as possible and deprecate the old key(s). The procedure is exactly the same as a configured manual rollover, where a rollover takes place only on user indication. - HSM key pre-generation As entropy is a scarce resource, generating new keys can take a considerable amount of time. The Enforcer tries to keep a pool of pre-generated keys ready to speed up general key management. 3 CHANGES FOR THE USER - TTL for zonedata signatures A design decision is that the Enforcer does not have access to the zonefiles. But in order to do completely safe rollovers it must know the value of the longest TTL in the zone. A new tag is introduced in kasp.xml: . If not specified the enforcer will fall back to the old behaviour and use a TTL of 5 days for the signatures over the regular resource records. IMPORTANT NOTE: This TTL is NEVER published. The enforcer uses it to make sure rollovers are always DNSSEC valid. The actual TTLs in the zonefile are used by the signer and published. - ds-seen command has ds-gone counterpart. The decoupling of keys and rollovers (more on this later) makes this command necessary. ds-retract lists every key which DS is currently published at the parent but must be removed. With ds-gone the user can specify that a certain key is actually removed, just like the ds-seen command. - Command channel Just like the signer the enforcer can be interacted with via a client, 'ods-enforcer' in this case. 'ods-enforcer help' for more information about the available commands. 4 TODO BEFORE FINAL RELEASE - Provide migration scripts to support the transition from an earlier OpenDNSSEC installation. - Specify in the KASP what rollover strategy is preferred. - Provide database backend. 5 FUTURE FEATURES - Support for 5011 - Handling of offline HSMs and possibly report next expected HSM access. - Adding zones interactively. The database should become the authoritative source for the configuration. Upon adding a zone via the command channel zonelist.xml should be written. - Support for standby keys. 6 BUILDING FROM SOURCE REPOSITORY When building the Enforcer from the subversion repository two new software dependencies are added: java and protocolbuffers 7 ENFORCER INTERNALS The inner working and behavior of the enforcer is fairly technical and mathematical of nature and this is no place to go in depth about that. There are however some key concepts which may be interesting for some trying to understand the Enforcer's possibilities and limitations. Others may skip this section as no operational information is discussed. The first step in the Enforcer NG is to introduce a cache centered approach rather than a rollover centered approach. In a rollover centered approach the Enforcer would take key A and B, then in a predefined order steps are being taken to introduce B and outroduce A. This is simple to implement but not very flexible. For example it would not be possible to interrupt a rollover from A to B at an arbitrary point in time and start a rollover to key C. The cache centered approach has no notion of what a rollover is but rather how caching validators *may* see the zone. A goal of the Enforcer is to keep the served zones at all times in a DNSSEC valid state (i.e. not bogus), regardless of what is being asked of it. To achieve this keys are completely decoupled from rollovers and policy. Each time the enforcer is active it tries to bring every key to some next state without breaking DNSSEC validation. The DNSSEC rules are mathematically defined but no rolling procedures are defined, it just evaluates validity of a possible move. This is the reason the Enforcer can do all kind of 'weird' rollovers such as algorithm, policy, or HSM rollover. For example, rolling from a split key scenario with a shared KSK to a single key scenario of another algorithm is nothing special. As a consequence the Enforcer SHOULD NEVER output a signer configuration that may lead to some validators declaring the zone bogus. It should be noted that the Enforcer (right now) does not have any senses and needs to trust the signer to run within some interval and publish the zone as well as trust the user not to lie about the DS submission at the parent. Other than that, the user may provide novel/silly input, which may lead to a silly zone but never bogus. 8 NEVER ASKED QUESTIONS Q: How do I perform policy rollover? A: edit zonelist.xml change the policy tag and execute "ods-enforcer update zonelist". Key will now be generated according to the new policy. Alternatively edit the policy in kasp.xml and execute "ods-enforcer update kasp". Q: How do I gracefully unsign my zone? A: Remove all , and/or sections in the policy and than update the kasp. All published keys will now retract. Q: Can I speed up the process when debugging the enforcer? A: Yes, use "ods-enforcer time leap" to immediately execute the first task scheduled. WARNING, never use this in production, this WILL break validation.