[Opendnssec-develop] interaction between the Signer and KASP
jad at jadickinson.co.uk
Thu Dec 18 15:14:59 UTC 2008
On 18 Dec 2008, at 14:50, Jelte Jansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> John Dickinson wrote:
>> On 18 Dec 2008, at 13:22, Matthijs Mekking wrote:
>>> A debate has resulted in some questions and a proposal that
>>> affects the
>>> interaction between the Signer and KASP module
>> My understanding (and what I have started developing) is that the
>> enforcer will run as a daemon. It will read KASP, create keys and
>> the signer when ever signing is needed. It will tell the signer:
> and this is why we need to write this stuff down before we start to
> actually do anything.
> We were told that the KASP only responded when the signing engine
> it to (which is of course not practical at all, hence Matthijs'
> And if it responded it responded with "for zone X use keys Y1 Y2 Y3
> parameters Z etc".
> Since that signer engine is the one handling incoming zone changes it
> must always have the current key list available, to name one thing.
>> what zone to sign
>> what adapter to use to get that zone
>> what adapter to use publish the signed results with
> this is told by the kasp?
I thought it was part of the policy. But now that I look that isn't
written down anywhere other than in passing in the DB schema I sent
round the other week.
>>> 1. From the opendnssec.org website, I assume that the Signer has to
>>> determine the inception and expiration times on signatures. It can
>>> determine this from the refresh interval. (Ok, not a real
>> It will be told all the information it needs to know by the enforcer.
> we are trying to figure out exactly what that is :)
>> I thought that in the first instance, the enforcer and signer would
>> separate things but that in a later iteration they would be brought
>> together into one modular system.
> Actually, i am now thinking that we have completely different views on
> what the different parts do (and where what intelligence lies).
>> If this is not what we are developing then I need to know :) Shall we
>> have a quick phone call about it? I am available tomorrow all day.
> i think i'm officially done for the year after today, but i could
> set up
> a conference call room if the rest wants to too, apparently we already
> have a communication problem :)
Yes - I am happy to have the call in the new year if that if easier
for everyone. I wasn't planning to do much more this year except send
santa a list of gadgets that I need :)
Over the holiday, I will write up a short document describing what I
think the different parts are, what they do and how they link
together. I will send that round and maybe we can use it as the basis
for some discussion in the new year.
More information about the Opendnssec-develop