[Opendnssec-develop] OpenDNSSEC Project Management

Olaf Kolkman olaf at NLnetLabs.nl
Tue Jan 13 16:59:54 UTC 2009 

On Jan 13, 2009, at 4:13 PM, John Dickinson wrote:

>
> Regarding the nameserver version - I did a bit of thinking about  
> that last year and came to the conclusion that it would be better to  
> start with a nameserver and add signing than to start with a signer  
> and add most of a nameserver to it. I came up with the following  
> vague idea (the may be mis-understandings about how NSD works so  
> feel free to put me right):



John,

As an aside...

Below is a picture that most of the project people have been involved  
in have seen and that has developed separately from OpenDNSSEC. The  
picture is a an architecture for what I call "Masterdont"

It contains all intelligence about the concept of zones and would for  
instance know when data for a specific zone was changed, what the  
state for IXFR or incoming AXFR is.

When talking to opendnssec folk it appeared to me that the opendnssec  
architecture could naturally hook into this architecture. Basically by  
having the KASP API and the Crypto  API live on the bottom of the  
kernel in this picture.

In all honesty I am looking at the developments from a distance but I  
have the feeling that most of the uncertainty and risk of this project  
is in the "Zone Intelligence" that is needed. I have not been  
convinced that we do not need parts of this "Masterdont Kernel" to do  
the implementation: A clear understanding of when zones are subject to  
change and a state machine that understands that it received data from  
the KASP or understands that it needs to poll the KASP so that it can  
schedule generations of (a subset of) a zones signatures.

If you want to follow a POC that does not do IXFR then I do not see a  
fundamental difference with an implementation that is just a KASP  
aware signer that takes in an (un)signed zone file and spits out a  
(re)signed zonefile based on existing policy. Pulling in a zonefile  
over DNS and spitting it out over DNS is just window dressing. At the  
moment you want to do more and be more flexible you will need to  
understand all the various states a zone can be in.

I will try to be on the call tomorrow and will try to shut up.


--Olaf




-------------- next part --------------
A non-text attachment was scrubbed...
Name: Untitled(0884C51E).png
Type: image/png
Size: 177630 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090113/4d9bc635/attachment.png>
-------------- next part --------------







-----------------------------------------------------------
Olaf M. Kolkman                        NLnet Labs
                                        Science Park 140,
http://www.nlnetlabs.nl/               1098 XG Amsterdam

NB: The street at which our offices are located has been
renamed to the above.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090113/4d9bc635/attachment.bin>

More information about the Opendnssec-develop mailing list