[Opendnssec-develop] interaction between the Signer and KASP

Olaf Kolkman olaf at NLnetLabs.nl
Wed Jan 14 11:52:26 UTC 2009


On Jan 14, 2009, at 11:42 AM, Rick van Rein wrote:

> Olaf,
>
>> Skimming your documents I understand that you focus on the atomic
>> coherency of possibly small sets of data (a couple of RRsets). The
>> immediate question that I have is how you take care of zone  
>> coherency.
>
> The small (RRset size) changes that propagate through the dataflow end
> at the zoneDB -- at that place, I imagine collecting all RRsets under
> a zone until they are followed by a SOA.  Then all up to then,  
> including
> the SOA, is stored as an IXFR or AXFR into the zoneDB.

I think I need to understand what the ZoneDB stores.

In your picture I do not see any lines where when an IXFR is processed  
information is collected from the ZoneDB while deletion or additions  
of RRsets have impact on e.g. NSEC[3] RRs that exist in the database.  
Those will need to be maintained.

>
> This means that there is a transaction for each domain being signed,
> maintained upon entry in the zoneDB.  Or in other words, data is
> being collected in a pre-publishing file and later moved into the
> publication area if zoneDB is implemented in files.
>

I do not understand the above paragraph.

A ZoneDB implementation means that you have to do the NSEC3 generation  
by seeking appropriate entries in the file.


>> From a metalevel it is the operation on a zone that needs to be
>> 'atomic'. I would need to be explained how you maintain that view
>> within your design.
>
> 1a. Stuff comes in as an IXFR or AXFR, or
> 1b. Stuff is created in response to internal needs

I think I need to understand "internal needs". Internal to what?

>
>
> 2. Stuff is passed on as RRset-sized "Diff" messages, each atomic,
>   with a SOA "Diff" closing a zone's changes
>
> 3. Stuff gets processed per RRset: NSEC(3) appended, SOA serial number
>   inserted, RRSet signing
>

There is not a one-to-one relation between NSEC3s and a processed  
RRset. Besides this suggest SOA number increase with each RRset (or I  
am misreading here, which is highly likely).

> 4. Stuff gets collected and only published when the trailing SOA  
> drips in
>
> So the SOA record mirrors what "commit" does in a database.  A new SOA
> record is needed on any change, as its serial number must be updated.
> And you'll never need more than one such change per zone update.  So
> it can serve as the "end of transaction" marker.
>

-----------------------------------------------------------
Olaf M. Kolkman                        NLnet Labs
                                        Science Park 140,
http://www.nlnetlabs.nl/               1098 XG Amsterdam

NB: The street at which our offices are located has been
renamed to the above.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090114/971e857a/attachment.bin>


More information about the Opendnssec-develop mailing list