[Opendnssec-develop] OpenDNSSEC Project Management
Matthijs Mekking
matthijs at NLnetLabs.nl
Wed Jan 14 08:16:04 UTC 2009
> Yes. But not even so much on the place of the system as a whole, but more on the
> subsystems and where what 'intelligence' lies, imho. Both seem to be different
> in everybody's view.
+1. We all seem to agree that an unsigned zone comes in [in any form],
is adapted to a signed zone that can be served [full or incremental] to
the actual slaves. However, there seems to be little consistency in how
this should be achieved, imo.
>> However, aren't we really after two configurations?
>
>> Configuration A
>> Master server --(unsigned zone via AXFR/IXFR)--> OpenDNSSEC --(signed zone
>> via AXFR/IXFR)--> Slave server
>
>> Configuration B
>> Unsigned zone file -,---> OpenDNSSEC ----> Signed zone file (and automatic
>> loading into nameserver)
I thought the configuration always ended in a signed zone that can be
served to the slaves, incremental or full.
>> The first configuration is best suited to TLDs and ISPs that manage large
>> DNS installations, whereas the second would be ideal for companies that
>> manage a single zone with few names that changes relatively infrequently.
>> In both cases, OpenDNSSEC is doing the same job - signing zones and
>> managing keys. As OpenDNSSEC is targeted at all users, I think that we
>> should aim to build something that will handle both configurations. Most
>> of the core key management and scheduling code (but not the signing code)
>> will be common to both models, but IMHO the second will be easier to
>> program and may be best for an initial implementation.
>
>
> But those aren't the biggest challenges imho. It's keeping track of what data
> needs to be signed without walking through your entire collection of zones and
> all their records. In the case of TLD's and ISP's that is just not feasible.
I think both scheduling and tracking are challenging.
Matthijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090114/5dd5eacf/attachment.bin>
More information about the Opendnssec-develop
mailing list