[Opendnssec-develop] KASP Auditor Requirements

John Dickinson jad at jadickinson.co.uk
Tue May 12 13:20:36 UTC 2009


On 23 Apr 2009, at 12:38, Stephen.Morris at nominet.org.uk wrote:

> I've placed the first draft of (what I consider to be) the  
> requirements
> for the KASP Auditor on the wiki:
>
>      http://www.opendnssec.se/wiki/Signer/AuditorRequirements


Some notes:
3.1 item 1: the signer should be able to change the TTL,  minimum  and  
serial numbers for the SOA. This is important so that the signer can  
"fix" a unsigned zone that does not contain values which are not  
consistent with the values specified in kasp.

3.1 item 2: using serial number arithmetic, of course.

3.2: item 2: the protocol field must equal 3
3.2: I don't agree the last two checks. Either the sep bit should be  
being used in a way consistent with RFC5011 or in a way consistent  
with the policy. It may be that the policy should be consistent with a  
BCP RFC like 4641bis.

3.3 s/domain/zone/

3.4 item 1: what if you are switching from nsec to nsec3? This does  
not have to be done in a single step.
3.4 item 4: should read: the nsec records form a single closed loop  
linking each owner name in canonical order.
3.4 item 5: should read: each nsec correctly identifies the set of RR  
types present at the  owner name.

3.5 item 1: what if you are switching from nsec3 to nsec? This does  
not have to be done in a single step.
3.5 item 2: if you are doing nsec3 then there must be a nsec3param.
3.5 item 2c:  there must be at least one complete chain of nsec3  
records present with the same set of nsec3 parameters.
3.5 item 3: should read: each nsec3  record has bits set to indicate  
the types of rr's  present at the owner name.
3.5 item 4: should read: the next hashed owner name field contains   
the next hashed owner name in hash order.

3.5: I think we should also say that all nsec3 records must either be  
opt in or opt out.


John
---
John Dickinson
http://www.jadickinson.co.uk

I am riding from Lands end to John O'Groats to raise money for  
Parkinson's Disease Research. Please sponsor me here http://justgiving.com/pedalforparkinsons2009






More information about the Opendnssec-develop mailing list