[Opendnssec-develop] interaction between the Signer and KASP

John Dickinson jad at jadickinson.co.uk
Thu Dec 18 14:32:17 UTC 2008


On 18 Dec 2008, at 13:22, Matthijs Mekking wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> Hi,
>
> A debate has resulted in some questions and a proposal that affects  
> the
> interaction between the Signer and KASP module

My understanding (and what I have started developing) is that the  
enforcer will run as a daemon. It will read KASP, create keys and call  
the signer when ever signing is needed. It will tell the signer:

what zone to sign
what adapter to use to get that zone
what adapter to use publish the signed results with
which keys to use
where the keys are
etc...


> The OpenDNSSEC project designs the Signer as a client to the KASP
> module. Whenever the Signer needs to sign stuff, it needs to contact  
> the
> KASP module in order to retrieve the security parameters. This might
> lead to a lot of traffic between the two modules, since it is expected
> that the Signer has to sign a lot. We would like to propose that KASP
> signals the Signer in case of any changes had occurred. The KASP  
> already
> needs to apply the changes, so we expect that it is little work for  
> the
> KASP module to send out a signal after the change is complete. Can we
> make that assumption and is there any comment on this proposal?
>
> Furthermore, some questions came to our mind that we could not answer.
> Maybe this list can help us out:)
>
> 1. From the opendnssec.org website, I assume that the Signer has to
> determine the inception and expiration times on signatures. It can
> determine this from the refresh interval. (Ok, not a real question:))

It will be told all the information it needs to know by the enforcer.

I thought that in the first instance, the enforcer and signer would be  
separate things but that in a later iteration they would be brought  
together into one modular system.

If this is not what we are developing then I need to know :) Shall we  
have a quick phone call about it? I am available tomorrow all day.

John



More information about the Opendnssec-develop mailing list