[Opendnssec-develop] relationships between KASP parameters

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Wed Mar 11 18:49:42 UTC 2009

opendnssec-develop-bounces at lists.opendnssec.org wrote on 11/03/2009 

> On 11 mar 2009, at 16.59, John Dickinson wrote:
> > Sion and I are wondering if the Enforecer/libKSM should validate the 
> > policies. For example there could be a set of rules like:
> > - TTLs must be no less than 5 min and no greater than 2 years
> > - key lifetime must be at least n * TTLkey where n is some number 
> > like 5.
> > - ...
> >
> > these are made up examples please don't worry about the exact 
> > numbers for now :)
> >
> > Do people think that
> > a) the enforcer/libKSM is the place to do this
> > b) this should be done at all
> > c) this should be left for the GUI/CLI that populates the KASP DB?
> > d) this should wait for v2
> I think we can do (d) right now and in the future decide if we do it 
> at all. this could be done by a standalone KASP "Lint" that reads the 
> policy XML.

like Jakob, I suggest (d) for now.  However, I think it ought to be done 
at the point the policy is created, which is probably (c).  The easiest 
way might be to put another parameters table in the database with a set of 
maximum/minimum/default values.  Then every time a parameter is modified, 
it is checked against the thresholds and a warning output if they are 
exceeded.  (Note warning - we are not stopping the user exceeding a 
threshold, we are just warning them that it might not be advisable to do 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090311/e2dbd874/attachment.htm>

More information about the Opendnssec-develop mailing list