[Opendnssec-develop] Re: Our little get-together. Re: Progressing OpenDNSSEC.
roy at nominet.org.uk
Fri Nov 14 22:15:36 UTC 2008
Olaf Kolkman <olaf at NLnetLabs.nl> wrote on 11/10/2008 11:30:07 AM:
> Here are a few notes from our little get-together in Dubai. I've added
> Matthijs to the CC. Is there a mailinglist for this project.
Hi Olaf, now there is indeed a mailinglist for this project.
> --- Begin Notes ---
> * There are two functions that opendnssec needs to fulfill:
> 1 - A piece of software: DNSSEC in a box
> 2 - A set of procedures and documentation initially within a wiki.
> We currently concentrate on getting piece 1 done with the
> understanding that 1 is not complete without having it documented.
> * The first phase of the project intends to be finalized by the 2nd
> quarter of 2009.
> 3 major arch components are needed for that.
> * The KASP, with its policy language and policy engine (John
> Dickinson is the lead for that)
> * A PKCS#11 software engine (Richard Bondesson has that token)
> * A signer, including zone input-output, with the ability to
> interface using the PKCS#11 API (Jelte/NLnetLabs).
> With respect to the signer the expected functionality is that it will
> be able to take a zonefile as input and generate a signed zonefile and/
> or take zone-fragments (with specific requirements on ordering) and
> sign those for insertion later.
> At the end of phase 1 the expectation is that this is all packaged and
> ready for use by IIS and Nominet and potentially other clients.
> Roy takes the token to document this and make a project plan.
> A few personal notes and thoughts added to this. We did refer to these
> during the discussion but I am not sure what the level of mutual
> commitment on these ideas was.
> - As far as the input-output requirements we will need to make sure
> that the expectations are clear. Those are to be documented in Roy's
> requirements document (correct?)
That is correct.
> - During the meeting I referred to the 'vapor ware' that we call
> Masterdont. The core of this idea is that we have a kernel that is
> aware of all possible interactions with, properties off, and relations
> of the environments with zone.
> In that context I think it is important to make the zone I/O
> intelligence and the KASP language extendible so that KASP is to
> become a subset of a zone-policy language that not only describes the
> signing and key properties of zones but can also describe TTL,
> Nameserver, and content properties for zones.
KASP was specifically designed with DNSSEC in mind, and deals with the
various timings, state and properties of keys. I think what you are
referring to is the ability to contain KASP in NSCP. I think that generic
configuration items should go into NSCP, and that various state properties
of keys should remain in KASP.
> I have asked Matthijs to set up requirements for this (based on KASP
> and NSCP) and come up with an architecuture of what I refer to as the
> "Masterdont kernel". Although work on phase 1 of the project is to
> large extend orthogonal to this idea there are a few hooks, specifically
> - Colleagues from SURFNET are interested in working along and even
> providing resources in the form of a programmer. I am not sure if
> there is need for adding resources to phase 1 of the project (and if
> we do if there is efficiency gain). But I think they should be privy
> to the requirements document.
I think that we have covered most (all) bases with the current team. I
have no problem adding development resources if there is a yet
unidentified part of this project. However, I'm not convinced we more
resources. However, since SURFNET host a large amount of zones, I can see
value in inviting them to test the software.
> - At NLnet Labs we are cranking up the investments on this. Synced
> expectations would be good?
> Concluding: What is the next step: A document by Roy?
> If we are meeting in MSP, then we need to plan a timeslot. My agenda
> is filling fast.
I send out a quick doodle for allocating a timeslot next week.
More information about the Opendnssec-develop