[Opendnssec-develop] OpenDNSSEC Project Management

Olaf Kolkman olaf at NLnetLabs.nl
Wed Jan 14 12:51:48 UTC 2009 

Thanks this  first stab. But it does not answer an important question  
which I think is core to the debate we are having: How is this  
software supposed to integrate in existing environments?

I think I've seen two different answers to that question:
- As a component of the backend system generating zone files that can  
be read by a nameserver
- As a component that acts as a "bump in the wire"
- As a component that acts as a hidden master server
- Others....

I think that you could take the first approach as a proof of concept  
to develop policies but I think another approach would need to be  
taken for a seriously scalable system.

--Olaf




On Jan 14, 2009, at 1:11 PM, Stephen.Morris at nominet.org.uk wrote:

> A major obstacle to the widespread adoption of DNSSEC is the  
> complexity of
> implementing it.  There is no package that one can install on a  
> system,
> click the "start" button, and have DNSSEC running.  Instead, there  
> are a
> variety of tools, none of which on their own is a complete  
> solution.  To
> actually run a DNSSEC-enabled authoritative server requires writing  
> custom
> scripts to link them together.  Even then, aspects of DNSSEC  
> management
> such as key management and use of hardware assistance (such as HSMs)  
> have
> not been adequately addressed.
>
> The aim of the OpenDNSSEC project is to produce software that will  
> provide
> this comprehensive package.  Installed on a system it will, with a  
> minimum
> amount of operator input:
>
> * Handle the signing of DNS records, including the regular re-signing
> needed during normal operations.
> * Handle the generation and management of keys, including key  
> rollover.
> * Seamlessly integrate with external cryptographic hardware such as  
> HSMs.
>
> The OpenDNSSEC software will be applicable to a wide variety of DNS
> configurations, including (but not limited to):
>
> * Organisations (such as TLDs) that manage few zones, each with a  
> large
> number of records.
> * Organisations (such as ISPs) that manage a large number of zones,  
> each
> with few records.
> * Organisations (such as companies managing their own zones) that  
> have a
> single zone with relatively few records.

-----------------------------------------------------------
Olaf M. Kolkman                        NLnet Labs
                                        Science Park 140,
http://www.nlnetlabs.nl/               1098 XG Amsterdam

NB: The street at which our offices are located has been
renamed to the above.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090114/7403e633/attachment.bin>

More information about the Opendnssec-develop mailing list