[Opendnssec-develop] interaction between the Signer and KASP
John Dickinson
jad at jadickinson.co.uk
Thu Dec 18 14:32:17 UTC 2008
On 18 Dec 2008, at 13:22, Matthijs Mekking wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
>
> A debate has resulted in some questions and a proposal that affects
> the
> interaction between the Signer and KASP module
My understanding (and what I have started developing) is that the
enforcer will run as a daemon. It will read KASP, create keys and call
the signer when ever signing is needed. It will tell the signer:
what zone to sign
what adapter to use to get that zone
what adapter to use publish the signed results with
which keys to use
where the keys are
etc...
> The OpenDNSSEC project designs the Signer as a client to the KASP
> module. Whenever the Signer needs to sign stuff, it needs to contact
> the
> KASP module in order to retrieve the security parameters. This might
> lead to a lot of traffic between the two modules, since it is expected
> that the Signer has to sign a lot. We would like to propose that KASP
> signals the Signer in case of any changes had occurred. The KASP
> already
> needs to apply the changes, so we expect that it is little work for
> the
> KASP module to send out a signal after the change is complete. Can we
> make that assumption and is there any comment on this proposal?
>
> Furthermore, some questions came to our mind that we could not answer.
> Maybe this list can help us out:)
>
> 1. From the opendnssec.org website, I assume that the Signer has to
> determine the inception and expiration times on signatures. It can
> determine this from the refresh interval. (Ok, not a real question:))
It will be told all the information it needs to know by the enforcer.
I thought that in the first instance, the enforcer and signer would be
separate things but that in a later iteration they would be brought
together into one modular system.
If this is not what we are developing then I need to know :) Shall we
have a quick phone call about it? I am available tomorrow all day.
John
More information about the Opendnssec-develop
mailing list