[Opendnssec-develop] OpenDNSSEC Project Management
Olaf Kolkman
olaf at NLnetLabs.nl
Tue Jan 13 23:31:39 UTC 2009
This got stuck in the moderators queue... resend without picture
On Jan 13, 2009, at 5:59 PM, Olaf Kolkman wrote:
>
> On Jan 13, 2009, at 4:13 PM, John Dickinson wrote:
>
>>
>> Regarding the nameserver version - I did a bit of thinking about
>> that last year and came to the conclusion that it would be better
>> to start with a nameserver and add signing than to start with a
>> signer and add most of a nameserver to it. I came up with the
>> following vague idea (the may be mis-understandings about how NSD
>> works so feel free to put me right):
>
>
>
> John,
>
> As an aside...
>
> Below is a picture that most of the project people have been
> involved in have seen and that has developed separately from
> OpenDNSSEC. The picture is a an architecture for what I call
> "Masterdont"
>
> It contains all intelligence about the concept of zones and would
> for instance know when data for a specific zone was changed, what
> the state for IXFR or incoming AXFR is.
>
> When talking to opendnssec folk it appeared to me that the
> opendnssec architecture could naturally hook into this architecture.
> Basically by having the KASP API and the Crypto API live on the
> bottom of the kernel in this picture.
>
> In all honesty I am looking at the developments from a distance but
> I have the feeling that most of the uncertainty and risk of this
> project is in the "Zone Intelligence" that is needed. I have not
> been convinced that we do not need parts of this "Masterdont Kernel"
> to do the implementation: A clear understanding of when zones are
> subject to change and a state machine that understands that it
> received data from the KASP or understands that it needs to poll the
> KASP so that it can schedule generations of (a subset of) a zones
> signatures.
>
> If you want to follow a POC that does not do IXFR then I do not see
> a fundamental difference with an implementation that is just a KASP
> aware signer that takes in an (un)signed zone file and spits out a
> (re)signed zonefile based on existing policy. Pulling in a zonefile
> over DNS and spitting it out over DNS is just window dressing. At
> the moment you want to do more and be more flexible you will need to
> understand all the various states a zone can be in.
>
> I will try to be on the call tomorrow and will try to shut up.
>
>
> --Olaf
>
>
>
>
> <Untitled(0884C51E).png>
>
>
>
>
>
>
> -----------------------------------------------------------
> Olaf M. Kolkman NLnet Labs
> Science Park 140,
> http://www.nlnetlabs.nl/ 1098 XG Amsterdam
>
> NB: The street at which our offices are located has been
> renamed to the above.
>
>
>
>
-----------------------------------------------------------
Olaf M. Kolkman NLnet Labs
Science Park 140,
http://www.nlnetlabs.nl/ 1098 XG Amsterdam
NB: The street at which our offices are located has been
renamed to the above.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090114/9840ffb5/attachment.bin>
More information about the Opendnssec-develop
mailing list