[Opendnssec-develop] OpenDNSSEC Requirements Updated

Jelte Jansen jelte at NLnetLabs.nl
Tue May 5 15:10:34 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen.Morris at nominet.org.uk wrote:
> As a prelude for writing the test plan, I have updated the requirements 
> for OpenDNSSEC - see 
> http://www.opendnssec.se/wiki/ProjectPlan/Requirements
> 
> I have incorporated the original requirements, as well as requirements 
> from Nominet and .SE.
> 
> Comments?
> 

just a few at a quick glance;

I'm seeing a few things that it currently does not do (signatures on first
input, but i think i can add that without much trouble), or probably can't
handle in any decent timerange (sorting might take a while for millions of records)

RSA support is mentioned, but not RSAwithSHA1 and/or RSAwithMD5 (not that I know
of anyone actually using that, but it might be good to at least make the
distinction, and we will know where to put SHA2 if that draft ever reaches
publication)

I don't know in which category it would fall, but the SOA SERIAL that is used
could be very important for some people, I've heard of at least one instance
where they have the requirement that it is not changed by the signer. This will
have very serious consequences on when and how to do resigning operations (one
would have to 'sneak' them into normal updates, which of course have to happen
regularly then, but i guess this is more appropriate for the second version; so
it could actually be an explicit non-requirement.

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoAVuoACgkQ4nZCKsdOncUc4QCgpwzQag1O60w2aqEg3fxIiB0I
xp4An3KhlBFU9I5OyYl+BStemJmHXyAD
=79NR
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list