[Opendnssec-develop] OpenDNSSEC Project Management

[Matthijs Mekking]

>> Regarding the nameserver version - I did a bit of thinking about that
>> last year and came to the conclusion that it would be better to start
>> with a nameserver and add signing than to start with a signer and add
>> most of a nameserver to it. I came up with the following vague idea (the
>> may be mis-understandings about how NSD works so feel free to put me
>> right):
> 
>> NSD already has the ability to fork a process to perform XFR. This
>> process uses IPC to signal to the parent that new zone data needs
>> reloading. How about adding a signer process to NSD and re-directing the
>> IPC so that it goes to the signer and once any signatures are added a
>> signal is sent to parent to trigger the reload. NSD also has the
>> necessary timers needed to trigger refreshes of the zone. presumably
>> these could be used to trigger re-signings and key rollover as well.
>> This signer process might well use KASP in order to figure out what to
>> do and when. Thus it would evolve from the PoC of OpenDNSSEC.
> 
> 
> Actually, there is already a version of NSD that does automatic zone
> (re)signing. It's the one modified by secure64. But I don't think NSD is a good
> starting point. We don't need something that's optimized on fast individual
> answers, we need something that is optimized to coherent changes both from
> within (automatic signing) and outside (zone updates and key changes) to
> individual zones.
> 
> This is even without IXFR. But if we're looking ahead; NSD is *really* not
> suited for serving IXFR.

+1 for both reasons. However, of course, this should not prevent us to
copy some useful parts.

Matthijs


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090114/88bf9219/attachment.bin>