[Opendnssec-develop] interaction between the Signer and KASP

John Dickinson jad at jadickinson.co.uk
Thu Dec 18 16:14:59 CET 2008


On 18 Dec 2008, at 14:50, Jelte Jansen wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> John Dickinson wrote:
>>
>> On 18 Dec 2008, at 13:22, Matthijs Mekking wrote:
>>>
>>> A debate has resulted in some questions and a proposal that  
>>> affects the
>>> interaction between the Signer and KASP module
>>
>> My understanding (and what I have started developing) is that the
>> enforcer will run as a daemon. It will read KASP, create keys and  
>> call
>> the signer when ever signing is needed. It will tell the signer:
>>
>
> and this is why we need to write this stuff down before we start to
> actually do anything.

Yes :)

>
>
> We were told that the KASP only responded when the signing engine  
> asked
> it to (which is of course not practical at all, hence Matthijs'  
> message).
>
> And if it responded it responded with "for zone X use keys Y1 Y2 Y3  
> with
> parameters Z etc".
>
> Since that signer engine is the one handling incoming zone changes it
> must always have the current key list available, to name one thing.
>
>> what zone to sign
>> what adapter to use to get that zone
>> what adapter to use publish the signed results with
>
> this is told by the kasp?

I thought it was part of the policy. But now that I look that isn't  
written down anywhere other than in passing in the DB schema I sent  
round the other week.


>>
>>> 1. From the opendnssec.org website, I assume that the Signer has to
>>> determine the inception and expiration times on signatures. It can
>>> determine this from the refresh interval. (Ok, not a real  
>>> question:))
>>
>> It will be told all the information it needs to know by the enforcer.
>>
>
> we are trying to figure out exactly what that is :)
>
>> I thought that in the first instance, the enforcer and signer would  
>> be
>> separate things but that in a later iteration they would be brought
>> together into one modular system.
>>
>
> Actually, i am now thinking that we have completely different views on
> what the different parts do (and where what intelligence lies).
>
>> If this is not what we are developing then I need to know :) Shall we
>> have a quick phone call about it? I am available tomorrow all day.
>>
>
> i think i'm officially done for the year after today, but i could  
> set up
> a conference call room if the rest wants to too, apparently we already
> have a communication problem :)

Yes - I am happy to have the call in the new year if that if easier  
for everyone. I wasn't planning to do much more this year except send  
santa a list of gadgets that I need :)

Over the holiday, I will write up a short document describing what I  
think the different parts are, what they do and how they link  
together. I will send that round and maybe we can use it as the basis  
for some discussion in the new year.

John



More information about the Opendnssec-develop mailing list