[Opendnssec-develop] interface between enforcer and signer

John Dickinson jad at jadickinson.co.uk
Tue Feb 24 11:56:28 UTC 2009

On 24 Feb 2009, at 11:32, Rick van Rein wrote:

> Hello,
>> a set of draft schemas are now available at
>> http://www.opendnssec.se/browser/docs/xml .
> In addition to my remarks on the instance files:
> kasp / policy / denial / nsec | nsec3
> 	Strictly speaking, a party could decide to support both.
> 	For instance while moving away from one and going to the other.
> 	Similarly, multiple nsec-chains and/or multiple nsec3-chains
> 	could co-exist.
> 	Would those setups be represented by different policies?

The signer can do the switch once the new chain is complete.

> kasp / zone / policy
> 	Should a zone not be able to move from one policy to another?
> 	And as a result, should there not be an old and new policy?

There is only the current, to be used from now on policy. The signer  
must ensure that existing signatures and nsec chains don't break while  
implementing the current policy no matter how different the current  
policy is from the one moments before. I will admit this may be  
ambitious - Jelte does this scare you? Do we need any additional info?

> Several of these remarks may turn out to be unfashionable for v1.
> One remark is not, and that's the general problem of XML: it only
> defines syntax.  Several of my questions relate to semantics, or how
> to interpret the values described by the XML syntax.  It could be
> very helpful to annotate as much as possible of the intended use
> of each data element, either in a separate text or in comments
> alongside each element/attribute.  In writing them, please try to
> misinterpret the data in as many ways as possible, and try to write
> with a clarity that avoids such misinterpretations.  Note that several
> of my comments can be ranked as possible mis-interpretations, or in
> other words, as calls for such semantics clarifications in text.

Hopefully, this is begin covered by linking KASP to the draft that  
Stephen and I wrote.
> I hope .rnc can incorporate such comments, because I like the format
> _much_ better than either DTD or XML Schema -- that is, there does not
> seem to be a way to read these formats falsely, given a bit of
> eperience with regexps.  A good find!  What tools do you use to  
> process
> RNC files into XML Schema and/or DTD?

I don't think you actually have to go to XML Schema. e.g. libxml2 will  
do relax-ng validation directly I think - http://xmlsoft.org/html/libxml-relaxng.html#xmlRelaxNGValidateDoc


John Dickinson

More information about the Opendnssec-develop mailing list