[Opendnssec-develop] Re: Our little get-together. Re: Progressing OpenDNSSEC.
Roy Arends
roy at nominet.org.uk
Sat Nov 15 23:22:49 UTC 2008
Olaf Kolkman <olaf at NLnetLabs.nl> wrote on 11/15/2008 04:51:51 PM:
> >> - During the meeting I referred to the 'vapor ware' that we call
> >> Masterdont. The core of this idea is that we have a kernel that is
> >> aware of all possible interactions with, properties off, and
> >> relations
> >> of the environments with zone.
> >>
> >> In that context I think it is important to make the zone I/O
> >> intelligence and the KASP language extendible so that KASP is to
> >> become a subset of a zone-policy language that not only describes the
> >> signing and key properties of zones but can also describe TTL,
> >> Nameserver, and content properties for zones.
> >
> > KASP was specifically designed with DNSSEC in mind, and deals with the
> > various timings, state and properties of keys. I think what you are
> > referring to is the ability to contain KASP in NSCP. I think that
> > generic
> > configuration items should go into NSCP, and that various state
> > properties
> > of keys should remain in KASP.
>
> That is not exactly what I refer to.
>
> A zone can have many properties, such as the policy it is signed with,
> which keys are used to implement that policy, which nameservers it is
> served on, which clients are allowed to query it, its SOA timing
> prarameters, etc, etc. Some of these properties are expressed in the
> language that KASP will use for its configuration, others will be used
> in NSCP.
Yes.
> If you are starting on a framework to maintain a subset of properties
> for zones, which I think KASP is, then you better make sure you can
> add the other pieces too. Make it extendable: while not solving all of
> ones problems at once make sure you can in the future build upon the
> foundations you are setting.
Okay. Lets go over this face to face next week. I think we're in
agreement, though we might not be convinced ;-)
> >> I have asked Matthijs to set up requirements for this (based on KASP
> >> and NSCP) and come up with an architecuture of what I refer to as the
> >> "Masterdont kernel". Although work on phase 1 of the project is to
> >> large extend orthogonal to this idea there are a few hooks,
> >> specifically
> >
> >> - Colleagues from SURFNET are interested in working along and even
> >> providing resources in the form of a programmer. I am not sure if
> >> there is need for adding resources to phase 1 of the project (and if
> >> we do if there is efficiency gain). But I think they should be privy
> >> to the requirements document.
> >
> > I think that we have covered most (all) bases with the current team. I
> > have no problem adding development resources if there is a yet
> > unidentified part of this project. However, I'm not convinced we more
> > resources. However, since SURFNET host a large amount of zones, I
> > can see
> > value in inviting them to test the software.
>
> I think that might be rather late. Why not use them as a sounding
> board for assessing if your current set of requirements and your
> vision would work for them?
That is a good idea. Could you elaborate on who is your point of contact
within SURFNET?
Thanks,
Roy
More information about the Opendnssec-develop
mailing list