[Opendnssec-develop] Project plan
Rick van Rein
rick at openfortress.nl
Tue Jan 20 12:55:39 UTC 2009
Hello Rickard,
> Here is my first draft on the project plan. Still missing some peaces like
> a more detailed time plan, since we need to plan the components a little
> bit more first.
I finally found the time to read your setup towards a project plan.
Thanks for the effort, first of all -- and here follows some constructive
feedback.
Background, 2nd par: You suggest that DNS is leaking _because_ it has been
araound for many years. It may be better to suggest that it was conceived
in a time when security was not a design issue for internet protocols.
3rd par: ...with the help of public-key cryptology: s/cryptology/cryptography/
(cryptology is more general, including attacks, which adds
nothing to what you are saying here)
is more general, including attacks, which adds
nothing to what you are saying here)
1.4 Goals -> I would like to mention cryptographic USB-style tokens and
smart cards as well, because they cover a low-price alternative for those
who manage small domains. (I remark that this will introduce a number of
challenges, as mentioned on the list before: the need to establish a secure
source of timing, and lack of abundant space for key storage.)
3.1 Protocol Compliance -> I am not wholly convinced that _generating_
RFC 5011 is a good idea, but _accepting_ it certainly is.
Also, standards for plain DNS and a list of extensions would be good
to include here.
3.7 I/O of zone data: I am assuming TSIG is based on a pre-shared key.
It is good to add that, as it squashes questions about TKEY and SIG(0)
which are probably out-of-place here, given the fixed relationships
with slave name servers.
I have not found a note saying that we are assuming fixed relations
with name servers, both for incoming and outgoing DNS traffic.
6. Resource plan: Rogier Spoor is actually not available on the
mailing list; he is on a very long holiday.
7. Time plan: You did not mention the project parts that finished,
at least to my understanding: SoftHSM, Market Study. Also, it would
be good to have a steep deadline for the website. I really think
that could use (quite) some work. Remember Roland's mail, where he
told us that parties are walking out on us because the website lacks
detail -> in casu, RIPE NCC. When told about what was going on they
suddenly became enthousiastic. We need a proper website, guys!
8.1 "No similar OpenSource project available" -> bind9 is moving and
has recently added PKCS #11 interfacing as well as DDNS signing.
They also included ZKT to smoothen signing in a cronjob (anyone tried
bind9's version of ZKT yet? The separate download works well for me.)
8.3 Risk management -> 6, drawing conclusions on decisions is your
responsibility, Rickard. At least, that's what project management
means in my mind, and it's also what we spoke of in the telephone
conference. Of course, it shall be by voting, but you're the one
responsible for getting the vote and spreading the results of it.
9.4 I am currently writing a few articles about DNSSEC in the Dutch
InfoSecurity.nl magazine. I mentioned the SURFnet white paper in
episode 2. We are still talking about an episode 3, in which there
will be more howto-talk, and at which stage OpenDNSSEC would come
into view.
9.6 Final report -> I propose writing it as part of the acceptance
phase. Nobody will be motivated to write it afterwards.
9.7 I don't mind any interpretation of the wiki, but I keep hearing
two things:
1. The wiki is for final results only
2. The wiki is a place for discussion and voting
Both are fine with me, but it's not clear right now.
Hope this helps!
-Rick
More information about the Opendnssec-develop
mailing list