[Opendnssec-develop] OpenDNSSEC Project Management

Jelte Jansen jelte at NLnetLabs.nl
Tue Jan 13 23:24:33 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen.Morris at nominet.org.uk wrote:
> jad at jadickinson.co.uk wrote on 13/01/2009 15:13:03:
> 
>>> When I took the lead to manage this project, I had the assumption that
>>> most of the architecture design was done, and what needed to follow 
>>> was a
>>> simple implementation of the parts.

BTW, Roy, I finally understand your optimistic view on the 'deadline' dates...

>>> My view was that this would be 
>>> done in
>>> two phases. The first phase was a simple proof of concept, with mostly
>>> existing tools. The second phase is a production version.
>> That's what I understood as well.
> 
> There seems to be some confusion as to what is being produced, so I think 

Yes. But not even so much on the place of the system as a whole, but more on the
subsystems and where what 'intelligence' lies, imho. Both seem to be different
in everybody's view.

> Rickard's first job is to sort that out :-)
> 

Indeed. Then a project plan and some actual milestones would be nice asap. I
hope we can get there tomorrow, but I don't think we will be able to in the span
of one conference call.

In fact, last year, Roy already proposed to arrange a face 2 face meetup. I
guess his arrangements will now be out of the picture but I would like to ask
whether we can do this. Fast.

> However, aren't we really after two configurations?
> 
> Configuration A
> Master server --(unsigned zone via AXFR/IXFR)--> OpenDNSSEC --(signed zone 
> via AXFR/IXFR)--> Slave server
> 
> Configuration B
> Unsigned zone file ----> OpenDNSSEC ----> Signed zone file (and automatic 
> loading into nameserver)
> 


The left part of both A and B isn't really different from the viewpoint of
OpenDNSSEC.

Configuration B can be done with just about any signing tool currently
available. Technically, it's probably what we're all already running for our own
zones...

> The first configuration is best suited to TLDs and ISPs that manage large 
> DNS installations, whereas the second would be ideal for companies that 
> manage a single zone with few names that changes relatively infrequently. 
> In both cases, OpenDNSSEC is doing the same job - signing zones and 
> managing keys.    As OpenDNSSEC is targeted at all users, I think that we 
> should aim to build something that will handle both configurations.  Most 
> of the core key management and scheduling code (but not the signing code) 
> will be common to both models, but IMHO the second will be easier to 
> program and may be best for an initial implementation.
> 

But those aren't the biggest challenges imho. It's keeping track of what data
needs to be signed without walking through your entire collection of zones and
all their records. In the case of TLD's and ISP's that is just not feasible.

> 
>> Are you or Stephen going to be calling into the meeting tomorrow?
> 
> I aim to be there.
> 

Good. Talk to you guys tomorrow.

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkltIrEACgkQ4nZCKsdOncWvJQCfUWdRwafcY2SLOZ2nZrkCBgYe
bSwAoJMebzFhDPeUda6GeMY/2GODtKxO
=iLJN
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list