[Opendnssec-develop] KASP Auditor Requirements
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Thu Apr 23 13:32:38 UTC 2009
"Rickard Bondesson" <rickard.bondesson at iis.se> wrote on 23/04/2009
14:13:06:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > I've placed the first draft of (what I consider to be) the
> > requirements for the KASP Auditor on the wiki:
> >
> > http://www.opendnssec.se/wiki/Signer/AuditorRequirements
> >
>
> *****
> 2.2. The KA should be able to accept the input zone data in the form of:
> a. A zone file.
> b. An AXFR.
> 2.4. The KA must be able to accept the output zone data in the form of:
> a. A zone file.
> b. An AXFR.
> *****
>
> I haven't check how the Signer Engine handles the zones, but it
> would be nice to have hooks into the internal zone data rather than
> implementing I/O adapters for the KA. Now it is specified as a bump
> on the road, but that is perhaps how we want it?
>
> // Rickard
I hadn't considered that when I wrote the document, which is why only zone
file and AXFR were specified.
Thinking it through in more detail though, I think that this restriction
does have real justification. The auditor is an independent check on the
signer to confirm that the signer has correctly transformed the input data
into the output data. The only way to do that is to compare what goes
into the signer with what comes out of it. If the auditor hooks into
internal signer data structures, it risks missing problems in the part of
the signer that reads and parses the input data, or in the part that
converts the internal representation to the output format.
Stephen
More information about the Opendnssec-develop
mailing list