[Opendnssec-develop] VB: Requirements for OpenDNSSEC v1.1/v1.2/v2

Rickard Bellgrim rickard.bellgrim at iis.se
Wed Dec 2 14:12:51 UTC 2009


FYI

> Hello Rickard,
> 
> please find my notes for the next version of OpenDNSSEC below.
> 
> I have used scripting interfaces to communicate with OpenDNSSEC so far.
> The Men & Mice Suite can fire an script whenever an object in the Men &
> Mice Suite changes (for example a Zone is creared, the "use OpenDNSSEC"
> flag is changes on a zone, or zone content (RRs) are being changed).
> 
> External system (such as OpenDNSSEC) can use the Men & Mice CLI
> (CommandLine Interface) or a SOAP Interface to report state and
> information back to the Men & Mice Suite. I currently use both methods
> and it works fine.
> 
> Ideas for changes in the next version of OpenDNSSEC:
> 
> 1)
> There is currently a script hook in OpenDNSSEC to inform an external
> system when a zone has been signed. The current target for this is to
> reload a DNS Server. I use this hook to reload the signed zone into the
> Men & Mice System, which send the DNSSEC signed zone to one or more DNS
> Servers.
> 
> It would be useful to have a similar hook just before the signing
> starts. This could be used by an external system to fetch the recent
> version of the zone and place it into the "unsigned" directory. This
> would be similar to the zone-fetcher, but more generic.
> 
> Also, I recommend to rename the "NotifyCommand" Hook into
> "postSignCommand" (runs after zone is signed), and add a new hook
> called
> "preSignCommand" (runs just before zone is signed). These names are
> more
> generic, because the use can be also very generic.
> 
> 2) (independent from Men & Mice Suite integration)
> for a security relevant system such as OpenDNSSEC, acountability is
> important for larger organisations (sometimes demanded by regulators or
> the law).
> 
> Every change to the system (policy, add/resign/remove zone, key
> generation, ...) should be written to an audit log. This can be a table
> in the sqlite DB that can be listed by a commandline tool (for example
> ods-ksmutil history). Each audit history item should list
> * timestamp
> * user that has triggered the change (unix user id -> user name)
> * old value of setting, if applicable
> * new value of the setting, if applicable
> * change comment of user (optional)
> 
> it should be possible to write the audit log to different log-targets
> in
> addition to the local sqlite DB, such as:
> * unix syslog
> * file in filesystem
> * call external process with log information as parameters
> 
> for an external system, such as the Men & Mice Suite, it would be
> useful
> to be able to query history log entries.
> 
> 3)
> on the long run, I would like to try to port OpenDNSSEC to a Windows OS
> (not because I like Windows, but there is a demand for easy to use
> DNSSEC tools esp. in the Windows world). I haven't done any research
> yet
> on how easy or difficult a port might be, but if in general platform
> portability is kept in mind when deciding on features it would be a
> great help.
> 
> These are my notes so far. I have not been able to work on OpenDNSSEC
> since the beginning of november, as we had some heavy projects to
> finish.
> 
> I will pick it up later in December and Januar, and then I will likely
> come up with some more requests and ideas.
> 
> Best regards
> 
> Carsten Strotmann
> Men & Mice
> 
> 
> On 11/30/09 11:20 AM, Rickard Bellgrim wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> > Hi
> > Hopefully we have a RC1 this Friday and if everything goes well, then
> we
> > have a v1.0.0 within two weeks. Once we have release version 1.0.0
> will
> > we start working on some minor improvements and then v2.
> > We would be happy if you could give your input on what you would like
> to
> > go into the requirements. This is from your perspective as a wrapper
> > program around OpenDNSSEC. What hocks would you like? Interfaces? How
> > the information is communicated?
> > Thanks
> > // Rickard
> > -----BEGIN PGP SIGNATURE-----
> > Version: 9.8.3 (Build 4028)
> > Charset: utf-8
> > wsBVAwUBSxOcdOCjgaNTdVjaAQhl3gf/Rf2yZEx9/6tt4or0wXrF4h88gWpfbD3w
> > v8osUqs2DATqflAbzKO4kKsKAeRYJYVixMbOMyRJef5YuqNdx8Qp1MPGOIrSPYHh
> > 694c+DyuSYxsdyZWyjYm5OjLdxnuMWd/UtPnfzi+4Mg21oXRft35mCRDNmpMoISX
> > Fi74VlXkfg98I6jWVnxO1Z7QjKOWlKQKzCIxqssL57pCIuHQwTp1x5rlx7kHmHSP
> > HF2sMXy00sgXkDEjEB/TIzmmUIUAIOzVJo2ODFN7eTzq91cVbu8BAtQBI86naGj3
> > 614wPfv3WpAJuELWVIw83xXh8osR3E96y45WR/SnYR8966q7uAVcHg==
> > =KRjy
> > -----END PGP SIGNATURE-----


More information about the Opendnssec-develop mailing list