[Opendnssec-develop] Re: Our little get-together. Re: Progressing OpenDNSSEC.

Roy Arends roy at nominet.org.uk
Fri Nov 14 22:15:36 UTC 2008

Olaf Kolkman <olaf at NLnetLabs.nl> wrote on 11/10/2008 11:30:07 AM:

> Folk,
> Here are a few notes from our little get-together in Dubai. I've added 
> Matthijs to the CC. Is there a mailinglist for this project.

Hi Olaf, now there is indeed a mailinglist for this project.

> --- Begin Notes ---
> * There are two functions that opendnssec needs to fulfill:
>    1 - A piece of software: DNSSEC in a box
>    2 - A set of procedures and documentation initially within a wiki.
>    We currently concentrate on getting piece 1 done with the 
> understanding that 1 is not complete without having it documented.
> * The first phase of the project intends to be finalized by the 2nd 
> quarter of 2009.
>    3 major arch components are needed for that.
>    * The KASP, with its policy language and policy engine (John 
> Dickinson is the lead for that)
>    * A PKCS#11 software engine (Richard Bondesson has that token)
>    * A signer, including zone input-output, with the ability to 
> interface using the PKCS#11 API (Jelte/NLnetLabs).
> With respect to the signer the expected functionality is that it will 
> be able to take a zonefile as input and generate a signed zonefile and/ 
> or take zone-fragments (with specific requirements on ordering) and 
> sign those for insertion later.
> At the end of phase 1 the expectation is that this is all packaged and 
> ready for use by IIS and Nominet and potentially other  clients.
> Roy takes the token to document this and make a project plan.


> A few personal notes and thoughts added to this. We did refer to these 
> during the discussion but I am not sure what the level of mutual 
> commitment on these ideas was.
> - As far as the input-output requirements we will need to make sure 
> that the expectations are clear. Those are to be documented in Roy's 
> requirements document (correct?)

That is correct.

> - During the meeting I referred to the 'vapor ware' that we call 
> Masterdont. The core of this idea is that we have a kernel that is 
> aware of all possible interactions with, properties off, and relations 
> of the environments with zone.
> In that context I think it is important to make the zone I/O 
> intelligence and the KASP language extendible so that KASP is to 
> become a subset of a zone-policy language that not only describes the 
> signing and key properties of zones but can also describe TTL, 
> Nameserver, and content properties for zones.

KASP was specifically designed with DNSSEC in mind, and deals with the 
various timings, state and properties of keys. I think what you are 
referring to is the ability to contain KASP in NSCP. I think that generic 
configuration items should go into NSCP, and that various state properties 
of keys should remain in KASP.
> I have asked Matthijs to set up requirements for this (based on KASP 
> and NSCP) and come up with an architecuture of what I refer to as the 
> "Masterdont kernel". Although work on phase 1 of the project is to 
> large extend orthogonal to this idea there are a few hooks, specifically

> - Colleagues from SURFNET are interested in working along and even 
> providing resources in the form of a programmer. I am not sure if 
> there is need for adding  resources to phase 1 of the project (and if 
> we do if there is efficiency gain). But I think they should be privy 
> to the requirements document.

I think that we have covered most (all) bases with the current team. I 
have no problem adding development resources if there is a yet 
unidentified part of this project. However, I'm not convinced we more 
resources. However, since SURFNET host a large amount of zones, I can see 
value in inviting them to test the software.
> - At NLnet Labs we are cranking up the investments on this. Synced 
> expectations would be good?


> Concluding: What is the next step: A document by Roy?


> If we are meeting in MSP, then we need to plan a timeslot. My agenda 
> is filling fast.

I send out a quick doodle for allocating a timeslot next week.


More information about the Opendnssec-develop mailing list