[Opendnssec-develop] v2 topics
matthijs at NLnetLabs.nl
Wed Mar 25 17:21:26 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
In the case we have time to discuss opendnssec v2 in the meeting today,
I propose some topics. Suprisingly, they almost all deal with handling
IXFRs. If you have more topics, please add.
* Securing IXFRs requires zone state. What state should be maintained:
the latest version I have received, the version I have pushed to my
secondaries, the status of the current zone update, ...
* Discuss schedule issues. Are they any? There may be in the case that:
- the zone update rate is high
- updates and key rollover occur at the similar time
- resigning needs to replace many signatures
Are we going to rely on realtime schedulers that will solve our issues?
* Should we consider IXFR bulks, so that we not push out IXFRs every
minute in the case zones update rate is high.
* Clockskew problems when using a second opendnssec box. Signatures may
differ. Secure64 detected this issue that is probably also applicable
for opendnssec. Joe Gersch proposed some solutions in the dnsop meeting.
Another solution might be to round up the inception time to a minute or
even more to ease this problem.
* Does key algorithm rollover and/or rollover to a new HSM or DNS
operator affect the key maintenance in KASP? What controls must be
provided in order to facilitate in these rollovers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop