[Opendnssec-develop] Algorithm Type and NSEC/NSEC3
Rickard Bondesson
rickard.bondesson at iis.se
Thu Jul 9 15:12:05 UTC 2009
That is why I say "or similar". Want to discuss the issue before
putting it to pivotal tracker. To see if more people share my view.
9 jul 2009 kl. 16.01 skrev "Jakob Schlyter" <jakob at kirei.se>:
> I understand your proposal, but I still believe that using ambigous
> mnemonics is a bad idea. We may however revisit this issue for a
> later release, and perhaps use a different set of XML tags at that
> point. Remember that we are close to release and that features like
> this will distract us from working code!
>
> Jakob - architect on vacation, but still alert
>
> --
> Sent from my iPhone, hence this mail might be briefer than normal.
>
> On 9 jul 2009, at 15.17, "Rickard Bondesson"
> <rickard.bondesson at iis.se> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>> To summerize my suggestion:
>>
>> Change the meening of Policy/Keys/KSK/Algorithm and Policy/Keys/ZSK/
>> Algorithm from algorithm type (currently 1, 5, and 7) to the
>> algorithm name representing the signing mechanism (e.g. RSASHA1 and
>> RSAMD5 or something similar). So that it does not specify anything
>> about NSEC/NSEC3 in the KASP policy for the key.
>>
>> When a key-pair is assigned to a zone within the Enforcer, it will
>> be get the correct algorithm type according to the denial type in
>> the current policy in combination with the RSASHA1 or RSAMD5.
>>
>> NSEC + MD5 = 1
>> NSEC + RSASHA1 = 5
>> NSEC3 + RSASHA1 = 7
>>
>> The Signer Engine will still get 1, 5, or 7 in the signconf.xml
>> from the communicated. So we should still be able to change
>> policies (e.g. going from NSEC to NSEC3), since the key-pair itself
>> will remember its own algorithm type.
>>
>> So the change is only in kasp.xml (.rnc) and when assigning a key-
>> pair to a zone in the KASP database. To make it easier for the user.
>>
>> // Rickard
>> -----BEGIN PGP SIGNATURE-----
>> Version: 9.8.3 (Build 4028)
>> Charset: utf-8
>>
>> wsBVAwUBSlXuBuCjgaNTdVjaAQg0Ogf+LsMXqvx2yEjUCwlDCvYykaRSn/yUQSJT
>> g29bg0xDivRbs1vbHd0lk49/ykwyprhndzX3pk7g2pRUiTD2ij48pf9+o+piaUvt
>> 0Y0xMrfdtLv4Ml4vxFnVrZCHV6ro9OWuRAhQrPJIfBQ0JfePZnWm+5t5IBczl0Cx
>> aMQAbOT5CQVrUzZYTIf6w2GvA3CYLZ5r3OZoY4JwqFCVQWah/dyPWZpzoRFHWLw8
>> XulXQ0e/Z+zK0DA9hZyRLCzNVRHKmYErNACoHaf68Pte+NLUKS2yvFLYMSoSWk8B
>> 9Q39vrLGoBzTKcxig+TvyeW+4Wq+54IM2Eew4VLm3Xbi9v6qes0pJA==
>> =sW3z
>> -----END PGP SIGNATURE-----
>>
>> _______________________________________________
>> Opendnssec-develop mailing list
>> Opendnssec-develop at lists.opendnssec.org
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
More information about the Opendnssec-develop
mailing list