[Opendnssec-develop] interaction between the Signer and KASP
John Dickinson
jad at jadickinson.co.uk
Mon Jan 12 11:05:54 UTC 2009
On 12 Jan 2009, at 08:55, Jelte Jansen wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> John Dickinson wrote:
>>
>> As promised here are my thoughts. This document is by no means
>> complete
>> and is only intended to reflect my understanding of what we are
>> doing.
>> Therefore, it will need some discussion :)
>>
>
> just to beat the meeting and give us something to think about;
>
> what i'm missing from this document is where the actual content of the
> zones lives. The doc seems to suggest that is is 'xfr upon need'; when
> some signing of a zone needs to be done; the contents are fetched.
> This
> is not as i had understood (rather, i thought the whole system was
> to be
> either an actual master or an 'active' slave to another master;
> keeping
> the zone data synced as much as possible).
>
> What to do when that data changes. Will the enforcer know of this
> change
> and tell the signer engine to XFR again and sign the new data?
I agree, we need to think about this. I see the system have having
several adapters between the zone data and the signer engine. One of
these would be as you suggest - an adapter that makes the signer
appear to be a DNS server. In that case we need to think about where
state would be kept and what the relationship is between the enforcer
and the signer engine.
John
More information about the Opendnssec-develop
mailing list