[Opendnssec-develop] Algorithm Type and NSEC/NSEC3
Jakob Schlyter
jakob at kirei.se
Thu Jul 9 14:00:10 UTC 2009
I understand your proposal, but I still believe that using ambigous
mnemonics is a bad idea. We may however revisit this issue for a later
release, and perhaps use a different set of XML tags at that point.
Remember that we are close to release and that features like this will
distract us from working code!
Jakob - architect on vacation, but still alert
--
Sent from my iPhone, hence this mail might be briefer than normal.
On 9 jul 2009, at 15.17, "Rickard Bondesson"
<rickard.bondesson at iis.se> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> To summerize my suggestion:
>
> Change the meening of Policy/Keys/KSK/Algorithm and Policy/Keys/ZSK/
> Algorithm from algorithm type (currently 1, 5, and 7) to the
> algorithm name representing the signing mechanism (e.g. RSASHA1 and
> RSAMD5 or something similar). So that it does not specify anything
> about NSEC/NSEC3 in the KASP policy for the key.
>
> When a key-pair is assigned to a zone within the Enforcer, it will
> be get the correct algorithm type according to the denial type in
> the current policy in combination with the RSASHA1 or RSAMD5.
>
> NSEC + MD5 = 1
> NSEC + RSASHA1 = 5
> NSEC3 + RSASHA1 = 7
>
> The Signer Engine will still get 1, 5, or 7 in the signconf.xml from
> the communicated. So we should still be able to change policies
> (e.g. going from NSEC to NSEC3), since the key-pair itself will
> remember its own algorithm type.
>
> So the change is only in kasp.xml (.rnc) and when assigning a key-
> pair to a zone in the KASP database. To make it easier for the user.
>
> // Rickard
> -----BEGIN PGP SIGNATURE-----
> Version: 9.8.3 (Build 4028)
> Charset: utf-8
>
> wsBVAwUBSlXuBuCjgaNTdVjaAQg0Ogf+LsMXqvx2yEjUCwlDCvYykaRSn/yUQSJT
> g29bg0xDivRbs1vbHd0lk49/ykwyprhndzX3pk7g2pRUiTD2ij48pf9+o+piaUvt
> 0Y0xMrfdtLv4Ml4vxFnVrZCHV6ro9OWuRAhQrPJIfBQ0JfePZnWm+5t5IBczl0Cx
> aMQAbOT5CQVrUzZYTIf6w2GvA3CYLZ5r3OZoY4JwqFCVQWah/dyPWZpzoRFHWLw8
> XulXQ0e/Z+zK0DA9hZyRLCzNVRHKmYErNACoHaf68Pte+NLUKS2yvFLYMSoSWk8B
> 9Q39vrLGoBzTKcxig+TvyeW+4Wq+54IM2Eew4VLm3Xbi9v6qes0pJA==
> =sW3z
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
More information about the Opendnssec-develop
mailing list