[Opendnssec-develop] OpenDNSSEC Project Management

Olaf Kolkman olaf at NLnetLabs.nl
Tue Jan 13 23:31:39 UTC 2009 

This got stuck in the moderators queue... resend without picture

On Jan 13, 2009, at 5:59 PM, Olaf Kolkman wrote:

>
> On Jan 13, 2009, at 4:13 PM, John Dickinson wrote:
>
>>
>> Regarding the nameserver version - I did a bit of thinking about  
>> that last year and came to the conclusion that it would be better  
>> to start with a nameserver and add signing than to start with a  
>> signer and add most of a nameserver to it. I came up with the  
>> following vague idea (the may be mis-understandings about how NSD  
>> works so feel free to put me right):
>
>
>
> John,
>
> As an aside...
>
> Below is a picture that most of the project people have been  
> involved in have seen and that has developed separately from  
> OpenDNSSEC. The picture is a an architecture for what I call  
> "Masterdont"
>
> It contains all intelligence about the concept of zones and would  
> for instance know when data for a specific zone was changed, what  
> the state for IXFR or incoming AXFR is.
>
> When talking to opendnssec folk it appeared to me that the  
> opendnssec architecture could naturally hook into this architecture.  
> Basically by having the KASP API and the Crypto  API live on the  
> bottom of the kernel in this picture.
>
> In all honesty I am looking at the developments from a distance but  
> I have the feeling that most of the uncertainty and risk of this  
> project is in the "Zone Intelligence" that is needed. I have not  
> been convinced that we do not need parts of this "Masterdont Kernel"  
> to do the implementation: A clear understanding of when zones are  
> subject to change and a state machine that understands that it  
> received data from the KASP or understands that it needs to poll the  
> KASP so that it can schedule generations of (a subset of) a zones  
> signatures.
>
> If you want to follow a POC that does not do IXFR then I do not see  
> a fundamental difference with an implementation that is just a KASP  
> aware signer that takes in an (un)signed zone file and spits out a  
> (re)signed zonefile based on existing policy. Pulling in a zonefile  
> over DNS and spitting it out over DNS is just window dressing. At  
> the moment you want to do more and be more flexible you will need to  
> understand all the various states a zone can be in.
>
> I will try to be on the call tomorrow and will try to shut up.
>
>
> --Olaf
>
>
>
>
> <Untitled(0884C51E).png>
>
>
>
>
>
>
> -----------------------------------------------------------
> Olaf M. Kolkman                        NLnet Labs
>                                       Science Park 140,
> http://www.nlnetlabs.nl/               1098 XG Amsterdam
>
> NB: The street at which our offices are located has been
> renamed to the above.
>
>
>
>

-----------------------------------------------------------
Olaf M. Kolkman                        NLnet Labs
                                        Science Park 140,
http://www.nlnetlabs.nl/               1098 XG Amsterdam

NB: The street at which our offices are located has been
renamed to the above.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090114/9840ffb5/attachment.bin>

More information about the Opendnssec-develop mailing list