[Opendnssec-develop] OpenDNSSEC Project Management
Matthijs Mekking
matthijs at NLnetLabs.nl
Wed Jan 14 08:21:32 UTC 2009
>> Regarding the nameserver version - I did a bit of thinking about that
>> last year and came to the conclusion that it would be better to start
>> with a nameserver and add signing than to start with a signer and add
>> most of a nameserver to it. I came up with the following vague idea (the
>> may be mis-understandings about how NSD works so feel free to put me
>> right):
>
>> NSD already has the ability to fork a process to perform XFR. This
>> process uses IPC to signal to the parent that new zone data needs
>> reloading. How about adding a signer process to NSD and re-directing the
>> IPC so that it goes to the signer and once any signatures are added a
>> signal is sent to parent to trigger the reload. NSD also has the
>> necessary timers needed to trigger refreshes of the zone. presumably
>> these could be used to trigger re-signings and key rollover as well.
>> This signer process might well use KASP in order to figure out what to
>> do and when. Thus it would evolve from the PoC of OpenDNSSEC.
>
>
> Actually, there is already a version of NSD that does automatic zone
> (re)signing. It's the one modified by secure64. But I don't think NSD is a good
> starting point. We don't need something that's optimized on fast individual
> answers, we need something that is optimized to coherent changes both from
> within (automatic signing) and outside (zone updates and key changes) to
> individual zones.
>
> This is even without IXFR. But if we're looking ahead; NSD is *really* not
> suited for serving IXFR.
+1 for both reasons. However, of course, this should not prevent us to
copy some useful parts.
Matthijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090114/88bf9219/attachment.bin>
More information about the Opendnssec-develop
mailing list