[Opendnssec-develop] interface between enforcer and signer

Jelte Jansen jelte at NLnetLabs.nl
Wed Feb 25 09:27:55 UTC 2009

Hash: SHA1

John Dickinson wrote:
>> It is not clear yet what PT2H means, and how it differs from 2H.
>> Similarly for P3D, P7D, P14D, PT12H, PT300S.  Do I read from the
>> <signatures/> element that SOA parameters are decided upon by
>> the KASP/Enforcer?
> PT2H and friends are defined here
> http://www.w3schools.com/Schema/schema_dtypes_date.asp

btw, for now, i'm interpreting month and year to be a wild guess at the number
of seconds (they only have meaning in the context of a specific time). The right
way to do this is to calculate the actual time to wait depending on the full
datetime when it is needed. That is a todo.

> The Enforcer needs to know the SOA parameters in order to correctly
> calculate key rollover. I think it is best if the signer ensures that
> the signed zone uses parameters that the Enforcer expects. Of course, it
> would be nice if there was a link between the registry system  that
> builds the un-signed zone and the KASP DB as well.

should we make an interface back so the kasp can query the engine for the soa of
a zone?

>> If I recall well (but I am not 100% sure) the <opt-out/> allowed
>> for partial opt-outs in the zone list.  I am not convinced this
> Partial opt outs are bad and would make dynamic updates impossible. Lets
> just not go there.

to leave the option open, we opted (heh) for just the element as opposed to
something like <opt-out>yes</opt-out>, so if we decide we can actually do
partial opt-out, the names to opt-out or not could be added as child elements.

But as opt-out is performed in the 'nsec3-hash' namespace, in the end it will be
pretty unpredictable what ranges in the 'normal' zone are opted-out, and that
makes me wary of having partial optout.

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-develop mailing list