[Opendnssec-develop] v2 topics

Wed Mar 25 17:21:26 UTC 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

In the case we have time to discuss opendnssec v2 in the meeting today,
I propose some topics. Suprisingly, they almost all deal with handling
IXFRs. If you have more topics, please add.

* Securing IXFRs requires zone state. What state should be maintained:
the latest version I have received, the version I have pushed to my
secondaries, the status of the current zone update, ...

* Discuss schedule issues. Are they any? There may be in the case that:
	- the zone update rate is high
	- updates and key rollover occur at the similar time
	- resigning needs to replace many signatures
Are we going to rely on realtime schedulers that will solve our issues?

* Should we consider IXFR bulks, so that we not push out IXFRs every
minute in the case zones update rate is high.

* Clockskew problems when using a second opendnssec box. Signatures may
differ. Secure64 detected this issue that is probably also applicable
for opendnssec. Joe Gersch proposed some solutions in the dnsop meeting.
Another solution might be to round up the inception time to a minute or
even more to ease this problem.

* Does key algorithm rollover and/or rollover to a new HSM or DNS
operator affect the key maintenance in KASP? What controls must be
provided in order to facilitate in these rollovers.

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEVAwUBScpoFg8yVCPsQCW5AQLklgf9ExuV0FcY0QPAVdgosoXqK1SNRdqqZLvB
pVJt2YSbGzYd8sChERDuc04QJIVQpL2K65PZ6l15/OGViqksLizumxYqFPla8T8H
OPVlTRpl51z/SiApvT8G8NzaL+QTUB7ArseOWjdFf0My7tcPfmLR8cU9pvI6XLpD
ixGsRTmxCyr34V+NBhYTSRfkcYZ7pb+/liiCuRgp6fcqVt/BQsoAXVyIL6EJpMyy
ZmqaLvkBIpHOlXZw/zC2zfQHCAB1HPAhoU7U1rouIVGic3P8h1ontXvKGr6UKBCZ
zBZDhWApFqrfVlVIb32TSUBPnk7gyqUYUBma0cEnRsLBS6dGnVu29Q==
=mMf0
-----END PGP SIGNATURE-----