Skip to content

Incremental signing for signer#148

Closed
Philip-NLnetLabs wants to merge 462 commits intomainfrom
signer-incremental-faketime
Closed

Incremental signing for signer#148
Philip-NLnetLabs wants to merge 462 commits intomainfrom
signer-incremental-faketime

Conversation

@Philip-NLnetLabs
Copy link
Member

@Philip-NLnetLabs Philip-NLnetLabs commented Jan 15, 2026
edited
Loading

We're experimenting with incremental DNSSEC signing in 'dnst signer', to prepare for this fucntionality in Cascade.

Currently we can sign the changes in the .se zone between last Saturday and Sunday in 3 seconds. Loading the unsigned zone takes 6 seconds and writing out the new signed zone another 12 seconds.

For comparison, the non-incremental signer took ~35 seconds (vs 3s for incremental), even with parallelism.

ximon18 and others added 30 commits December 13, 2024 11:53
@ximon18
Another comment.
023392f
@ximon18
FIX: -M should permit the wrong key for the zone to be used.
6c8955a
@ximon18
Cargo fmt.
10756ec
@ximon18
More ZONEMD tests from RFC 8976.
064b78b
@mozzieongit
Clarify comments on ZONEMD records and placeholders
d2dac34
@mozzieongit
Speed up ZONEMD RR insertion into SortedRecords
ca9e1ed
@ximon18
Fix HINFO RRSIGs to match when HINFO is parsed and output correctly (…
cbc7f72 
…i.e. for when domain #468 is fixed).
@ximon18
Minor improvements in compatibility of generated zonefile comment for…
98fba67 
…mat with the original ldns-signzone.
@ximon18
Update to latest domain.
3e09526
@mozzieongit
Add empty test to not create output file before input file existence …
a9ef10c 
…check
@ximon18
Use new domain support for parallelized sorting to sign zones faster. (
6ce07e6 
…#34)
@ximon18
Cargo fmt.
3c92d3b
@ximon18
Update to latest domain.
b8a8d93
@ximon18
Update to latest domain.
045deb6
@ximon18
Revert the bidirectional hash map based checking for orphaned NSEC3 h…
4ed0ed5 
…ashed owner names, as it's slow AND original ldns-signzone doesn't check correctly for hashes that are not orphans due to correspoding to an ENT (as it discovers ENTs _after_ rejecting orphaned hashed owner names) AND the conclusion is that original ldns-signzone should strip NSEC(3)s on load, as we previously, and again now do.
@ximon18
Add a placeholder test to come back to later.
7e90b4e
@ximon18
Add a test based on the RFC 8976 root-servers.net example.
c1a8c4a
@ximon18
Document the difference in stripping of DNSSEC RRs on loading of the …
75425db 
…zonefile compared to the original ldns-signzone.
@ximon18
Minor consistency improvement in man page text.
186046c
@ximon18
Update to latest domain.
82524a6
@ximon18
FIX: NSEC3PARAM TTL should be set per original ldns-signzone behaviou…
e5c8602 
…r in LDNS mode, i.e. to 3600, or to 0 to match common tooling behaviour (BIND, dnssec-signzone, and OpenDNSSEC).
@ximon18
Add tests showning that glue records are not included in the NSEC(3) …
3b9e0b9 
…Type Bitmaps, to match RFC and original ldns-signzone behaviour.
@ximon18
Add a comment about a fragile test.
f3cc24c
@ximon18
Fix brittle test by controlling time.
d37a703
@ximon18
Bump domain.
378d6b5 
- Use new SignableZoneInPlace trait instead of the now removed Signer.
- Use new update_data() fn instead of more specific replace_soa() and replace_rrsig_for_apex_zonemd().
- Use generate_rrsigs() instead of trying to treat a single ZONEMD or a few ZONEMD RRs as a zone to be signed (which would also generate NSEC(3) and DNSKEY RRs etc).
- Fix examples to have correct NSEC3PARAM TTL matching updated behaviour to use 3600 like LDNS or SOA MINIMUM otherwise.
@ximon18
Bump domain and use the new simpler RRset::sign() API instead of call…
12fed25 
…ing generate_rrsigs() directly, also making it clearer that we are only signing a single RRset and don't need to pass in an unused SigningConfig.
@ximon18
Bump domain and adjust code to match.
aa1c5e7
@ximon18
Bump domain.
d71757f
@ximon18
Bump domain, allowing us to remove the ugly type signature on the cal…
82ee2e3 
…l to sign_zone() and explicit use of ByteMut.
@ximon18
Bump domain and update test TTL values to match. new fixed TTL select…
7a56955 
…ion logic.
Base automatically changed from keyset-faketime to main March 2, 2026 14:27
@Philip-NLnetLabs
Review feedback.
32bc016
@Philip-NLnetLabs
Merge branch 'keyset-extra-key-rolls' into keyset-signer
ddf00b1
@Philip-NLnetLabs
Merge branch 'main' into keyset-signer
3041008
@Philip-NLnetLabs
Merge branch 'signer' into signer-incremental
2efa7d3
@Philip-NLnetLabs
Passes first test.
c6ddd48
@Philip-NLnetLabs
Changes to pass test2/NSEC.
bf8106f
@Philip-NLnetLabs
Now passes test3/NSEC.
913da31
@Philip-NLnetLabs
A bit of cleanup.
c0fbbf3
@Philip-NLnetLabs
Clippy
6304a9d
@Philip-NLnetLabs
Passes test 1 for NSEC3.
cea21ad
@Philip-NLnetLabs
All 3 tests pass for NSEC3.
b09ac29
@Philip-NLnetLabs
Factor out some common code.
1ecc6ce
@Philip-NLnetLabs
Support for NSEC3 opt-out.
357cf39
@Philip-NLnetLabs
Initial incremental refresh of signatures and key rolls.
10f67c7
@Philip-NLnetLabs
Add ZONEMD to incremental signing. And some small changes.
add6ac8
@Philip-NLnetLabs
Support for moving between NSEC and NSEC3.
9f4c9da
@Philip-NLnetLabs
Add serial policy to incremental signing.
4984f1f
@Philip-NLnetLabs
Add notify command to incremental signing.
4413126
@Philip-NLnetLabs
Add verbose option.
ebbff24
@Philip-NLnetLabs
Update domain.
25745b2
@Philip-NLnetLabs Philip-NLnetLabs force-pushed the signer-incremental-faketime branch from 28cc5e6 to 25745b2 Compare March 2, 2026 19:31
@Philip-NLnetLabs Philip-NLnetLabs deleted the signer-incremental-faketime branch March 2, 2026 19:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@Philip-NLnetLabs @ximon18 @mozzieongit @partim @tertsdiepraam @bal-e