[Opendnssec-develop] KASP Auditor Requirements

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Thu Apr 23 13:32:38 UTC 2009

"Rickard Bondesson" <rickard.bondesson at iis.se> wrote on 23/04/2009 

> Hash: SHA256
> > I've placed the first draft of (what I consider to be) the 
> > requirements for the KASP Auditor on the wiki:
> > 
> >       http://www.opendnssec.se/wiki/Signer/AuditorRequirements
> > 
> *****
> 2.2. The KA should be able to accept the input zone data in the form of:
>    a. A zone file.
>    b. An AXFR.
> 2.4. The KA must be able to accept the output zone data in the form of:
>    a. A zone file.
>    b. An AXFR.
> *****
> I haven't check how the Signer Engine handles the zones, but it 
> would be nice to have hooks into the internal zone data rather than 
> implementing I/O adapters for the KA. Now it is specified as a bump 
> on the road, but that is perhaps how we want it?
> // Rickard

I hadn't considered that when I wrote the document, which is why only zone 
file and AXFR were specified.

Thinking it through in more detail though, I think that this restriction 
does have real justification. The auditor is an independent check on the 
signer to confirm that the signer has correctly transformed the input data 
into the output data.  The only way to do that is to compare what goes 
into the signer with what comes out of it.  If the auditor hooks into 
internal signer data structures, it risks missing problems in the part of 
the signer that reads and parses the input data, or in the part that 
converts the internal representation to the output format.


More information about the Opendnssec-develop mailing list