[Opendnssec-develop] Signer Testplan: first try

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Apr 9 08:10:44 UTC 2009

Hash: SHA1

Hi Rick,

Thanks for the comments. Notice that the document is a first set up only.

Rick van Rein schreef:
> Hello Matthijs and Jelte,
> Thank you for this testing document.  Here are some remarks I have.
> Tests 7 and 20:
> 	Textual only: These numbers occur more than once.
> 	You may want to check out \newcounter, \addtocounter, \usecounter


> Tests 3 and 7#2:
> 	I don't like the idea of being liberal where semantics are
> 	concerned.  If you are proposing to tolerate semantical mistakes,
> 	I would be tempted to vote against that.  Maybe I just need to know
> 	what semantics you would be willing to interpret, and inhowfar.
> 	As a general rule, the security implications of systems that
> 	interpret my intentions "oh you MUST have meant to say X" gives
> 	me the creeps.  I'd much rather have a clear error message and a
> 	total bail-out.

This is not a proposal, more up for discussion. The thing is, some
semantics are easy to detect and some are more difficult. The NSEC3
<Algorithm> for example can only be a few valid algorithm identifiers.

The <Locator> element however depends on the reachability of the HSM,
the availability of the key. These things you might not want to check
while reading the configuration, but rather take for granted.

Or we can perform all semantic checks on the signconf.xml before
accepting it.

> Test 8:
> 	Language only: The words resign and re-sign have different meaning
> 	in the English language.  You meant to say re-sign, I think.

I mean the one where new signatures may need to be created ;)

> Test 12:
> 	If I got the informal drift of what jitter means, I think this test
> 	is overlooking slave duplication times and cache keeping times.
> 	It is a matter of discussion whether this suffices for the first
> 	version.  If OpenDNSSEC is to actually become a product, it should
> 	allow for the time for the signed data to go live, meaning that
> 	the slave and cache delays should be taken into account in this
> 	calculation.

It is merely to enforce partial zone re-signing.

> Test 13:
> 	I don't understand what this is about.

Inception offset (previously called clockskew) is used when you are
uncomfortable with setting the signature inception datetime to NOW. With
Inception offset you can create signatures that are valid from 1hr ago,
1day ago, or something like.

Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-develop mailing list