[Opendnssec-develop] interaction between the Signer and KASP
jelte at NLnetLabs.nl
Thu Dec 18 15:50:17 CET 2008
-----BEGIN PGP SIGNED MESSAGE-----
John Dickinson wrote:
> On 18 Dec 2008, at 13:22, Matthijs Mekking wrote:
>> A debate has resulted in some questions and a proposal that affects the
>> interaction between the Signer and KASP module
> My understanding (and what I have started developing) is that the
> enforcer will run as a daemon. It will read KASP, create keys and call
> the signer when ever signing is needed. It will tell the signer:
and this is why we need to write this stuff down before we start to
actually do anything.
We were told that the KASP only responded when the signing engine asked
it to (which is of course not practical at all, hence Matthijs' message).
And if it responded it responded with "for zone X use keys Y1 Y2 Y3 with
parameters Z etc".
Since that signer engine is the one handling incoming zone changes it
must always have the current key list available, to name one thing.
> what zone to sign
> what adapter to use to get that zone
> what adapter to use publish the signed results with
this is told by the kasp?
> which keys to use
> where the keys are
ok those are a given.
>> 1. From the opendnssec.org website, I assume that the Signer has to
>> determine the inception and expiration times on signatures. It can
>> determine this from the refresh interval. (Ok, not a real question:))
> It will be told all the information it needs to know by the enforcer.
we are trying to figure out exactly what that is :)
> I thought that in the first instance, the enforcer and signer would be
> separate things but that in a later iteration they would be brought
> together into one modular system.
Actually, i am now thinking that we have completely different views on
what the different parts do (and where what intelligence lies).
> If this is not what we are developing then I need to know :) Shall we
> have a quick phone call about it? I am available tomorrow all day.
i think i'm officially done for the year after today, but i could set up
a conference call room if the rest wants to too, apparently we already
have a communication problem :)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop