[Opendnssec-develop] OpenDNSSEC Project Management
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Tue Jan 13 18:28:21 UTC 2009
jad at jadickinson.co.uk wrote on 13/01/2009 15:13:03:
> > OpenDNSSECers,
> >
> > When I took the lead to manage this project, I had the assumption that
> > most of the architecture design was done, and what needed to follow
> > was a
> > simple implementation of the parts. My view was that this would be
> > done in
> > two phases. The first phase was a simple proof of concept, with mostly
> > existing tools. The second phase is a production version.
>
> That's what I understood as well.
There seems to be some confusion as to what is being produced, so I think
Rickard's first job is to sort that out :-)
However, aren't we really after two configurations?
Configuration A
Master server --(unsigned zone via AXFR/IXFR)--> OpenDNSSEC --(signed zone
via AXFR/IXFR)--> Slave server
Configuration B
Unsigned zone file ----> OpenDNSSEC ----> Signed zone file (and automatic
loading into nameserver)
The first configuration is best suited to TLDs and ISPs that manage large
DNS installations, whereas the second would be ideal for companies that
manage a single zone with few names that changes relatively infrequently.
In both cases, OpenDNSSEC is doing the same job - signing zones and
managing keys. As OpenDNSSEC is targeted at all users, I think that we
should aim to build something that will handle both configurations. Most
of the core key management and scheduling code (but not the signing code)
will be common to both models, but IMHO the second will be easier to
program and may be best for an initial implementation.
> Are you or Stephen going to be calling into the meeting tomorrow?
I aim to be there.
Stephen
More information about the Opendnssec-develop
mailing list