[Opendnssec-develop] Review requirements
jelte at NLnetLabs.nl
Wed May 13 15:26:14 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Stephen.Morris at nominet.org.uk wrote:
> I'm not sure about the a status report when the signer is in operation
> (Jelte, how feasible is this?), but a status report showing all zones,
> what keys are in the zone, and when the keys are due for replacement
> should be obtainable from the KASP database.
> In fact, looking through the requirements document I realise that it says
> nothing about reporting current status. It mentions a GUI (to be defined)
> for configuration and use of syslog to report what has happened, but
> nothing to report what _is_ happening - status of signer, KASP, keys etc.
> What are people's thoughts here?
currently, you can ask the engine what is planning to do and when, but not what
it is doing at this exact moment; ie.
jelte at blackbox:~> signer_engine_cli queue
It is now: 2009-05-13 17:18:22
I have 6 tasks scheduled
At 2009-05-13 17:46:57 I will sign zone openic.nl
At 2009-05-13 17:46:58 I will sign zone dots.jelte.nlnetlabs.nl
At 2009-05-13 17:56:56 I will sign zone nsec3.tjeb.nl
At 2009-05-13 19:20:19 I will sign zone jelte.nlnetlabs.nl
At 2009-05-13 22:33:33 I will sign zone tjeb.nl
At 2009-05-14 00:06:31 I will sign zone sub.jelte.nlnetlabs.nl
though this is more of a debug option :)
The moment it starts signing it will disappear from the list, until it is done
signing, because it will automatically schedule a new resign operation.
I could extend this with the actions that are currently running, but in the way
it is done now it would not be able to tell how far it is; the actual signing
process doesn't know anything about zone sizes, it just gets rrsets and creates
signatures for them.
> The requirements for the KASP auditor includes two requirements to check
> non-DNSSEC data as well:
> 1. All non-DNSSEC data (i.e. all RRs except NSEC, NSEC3, NSEC3PARAM,
> DNSKEY and RRSIG) in the input zone must be identical to that in the
> output zone. The only exception is SOA, where it is permissible for the
> serial number to differ.
some other fields in the soa rr can be overwritten by the signer engine as well
(ttl and minimum), if so specified by the config
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop