[Opendnssec-develop] relationships between KASP parameters
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Wed Mar 11 18:49:42 UTC 2009
opendnssec-develop-bounces at lists.opendnssec.org wrote on 11/03/2009
16:55:18:
> On 11 mar 2009, at 16.59, John Dickinson wrote:
>
> > Sion and I are wondering if the Enforecer/libKSM should validate the
> > policies. For example there could be a set of rules like:
> > - TTLs must be no less than 5 min and no greater than 2 years
> > - key lifetime must be at least n * TTLkey where n is some number
> > like 5.
> > - ...
> >
> > these are made up examples please don't worry about the exact
> > numbers for now :)
> >
> > Do people think that
> > a) the enforcer/libKSM is the place to do this
> > b) this should be done at all
> > c) this should be left for the GUI/CLI that populates the KASP DB?
> > d) this should wait for v2
>
> I think we can do (d) right now and in the future decide if we do it
> at all. this could be done by a standalone KASP "Lint" that reads the
> policy XML.
like Jakob, I suggest (d) for now. However, I think it ought to be done
at the point the policy is created, which is probably (c). The easiest
way might be to put another parameters table in the database with a set of
maximum/minimum/default values. Then every time a parameter is modified,
it is checked against the thresholds and a warning output if they are
exceeded. (Note warning - we are not stopping the user exceeding a
threshold, we are just warning them that it might not be advisable to do
so.)
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090311/e2dbd874/attachment.htm>
More information about the Opendnssec-develop
mailing list