[Opendnssec-develop] OpenDNSSEC Project Management

John Dickinson jad at jadickinson.co.uk
Tue Jan 13 15:13:03 UTC 2009 

On 13 Jan 2009, at 14:40, Roy Arends wrote:

> OpenDNSSECers,
>
> When I took the lead to manage this project, I had the assumption that
> most of the architecture design was done, and what needed to follow  
> was a
> simple implementation of the parts. My view was that this would be  
> done in
> two phases. The first phase was a simple proof of concept, with mostly
> existing tools. The second phase is a production version.

That's what I understood as well.

> The proof of concept is simply a nameserver running as slave for the
> incoming unsigned zone, and as a master for the outgoing signed  
> zone. The
> magic that causes the flip from unsigned to signed would be a regular
> running script that consults a database for the proper crypto-related
> data.
>
> I stand corrected.
>
> The necessity for IXFR, and the complexity that comes with it,  
> renders the
> proof of concept completely useless for the production version. This
> became clear during the discussions at NLNetLabs last month.
>
> To be clear: I still want the proof of concept (PoC) version, albeit
> without IXFR.

Sorry, I don't understand now what the PoC is going to be. Something  
like what is on the wiki or a "...nameserver running as slave for the  
incoming unsigned zone, and as a master for the outgoing signed zone."?

I know the nameserver version is something that we want, but I never  
realized that was what we were building as a PoC. In my mind the PoC  
was more for investigating how the bits would hang together, what data  
KASP would contain and what algorithms are needed for manipulating the  
KASP data and turning that in to signing operations.

The nameserver version would evolve from that and reuse the technology  
and ideas developed by building the PoC.

Regarding the nameserver version - I did a bit of thinking about that  
last year and came to the conclusion that it would be better to start  
with a nameserver and add signing than to start with a signer and add  
most of a nameserver to it. I came up with the following vague idea  
(the may be mis-understandings about how NSD works so feel free to put  
me right):

NSD already has the ability to fork a process to perform XFR. This  
process uses IPC to signal to the parent that new zone data needs  
reloading. How about adding a signer process to NSD and re-directing  
the IPC so that it goes to the signer and once any signatures are  
added a signal is sent to parent to trigger the reload. NSD also has  
the necessary timers needed to trigger refreshes of the zone.  
presumably these could be used to trigger re-signings and key rollover  
as well. This signer process might well use KASP in order to figure  
out what to do and when. Thus it would evolve from the PoC of  
OpenDNSSEC.

Are you or Stephen going to be calling into the meeting tomorrow?
John

More information about the Opendnssec-develop mailing list