[Opendnssec-develop] Review requirements

Jelte Jansen jelte at NLnetLabs.nl
Wed May 13 15:26:14 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Stephen.Morris at nominet.org.uk wrote:
> 
> I'm not sure about the a status report when the signer is in operation 
> (Jelte, how feasible is this?), but a status report showing all zones, 
> what keys are in the zone, and when the keys are due for replacement 
> should be obtainable from the KASP database.
> 
> In fact, looking through the requirements document I realise that it says 
> nothing about reporting current status.  It mentions a GUI (to be defined) 
> for configuration and use of syslog to report what has happened, but 
> nothing to report what _is_ happening - status of signer, KASP, keys etc. 
> What are people's thoughts here?
> 

currently, you can ask the engine what is planning to do and when, but not what
it is doing at this exact moment; ie.

jelte at blackbox:~> signer_engine_cli queue
It is now: 2009-05-13 17:18:22
I have 6 tasks scheduled
At 2009-05-13 17:46:57 I will sign zone  openic.nl
At 2009-05-13 17:46:58 I will sign zone  dots.jelte.nlnetlabs.nl
At 2009-05-13 17:56:56 I will sign zone  nsec3.tjeb.nl
At 2009-05-13 19:20:19 I will sign zone  jelte.nlnetlabs.nl
At 2009-05-13 22:33:33 I will sign zone  tjeb.nl
At 2009-05-14 00:06:31 I will sign zone  sub.jelte.nlnetlabs.nl

though this is more of a debug option :)

The moment it starts signing it will disappear from the list, until it is done
signing, because it will automatically schedule a new resign operation.

I could extend this with the actions that are currently running, but in the way
it is done now it would not be able to tell how far it is; the actual signing
process doesn't know anything about zone sizes, it just gets rrsets and creates
signatures for them.

> 
> The requirements for the KASP auditor includes two requirements to check 
> non-DNSSEC data as well:
> 
>  1. All non-DNSSEC data (i.e. all RRs except NSEC, NSEC3, NSEC3PARAM, 
> DNSKEY and RRSIG) in the input zone must be identical to that in the 
> output zone. The only exception is SOA, where it is permissible for the 
> serial number to differ.

some other fields in the soa rr can be overwritten by the signer engine as well
(ttl and minimum), if so specified by the config

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkoK5pMACgkQ4nZCKsdOncXfrACfez5i+wo4k7b91H7yBMJ9HIdt
w4MAoJer4JzwJwN6McTQe77KKde+fhjm
=FX6h
-----END PGP SIGNATURE-----

More information about the Opendnssec-develop mailing list