[Opendnssec-develop] OpenDNSSEC Requirements Updated

Jelte Jansen jelte at NLnetLabs.nl
Wed May 13 17:09:52 UTC 2009

Hash: SHA1

Stephen.Morris at nominet.org.uk wrote:
> Jelte Jansen <jelte at NLnetLabs.nl> wrote on 05/05/2009 17:10:34:
>> I'm seeing a few things that it currently does not do (signatures on 
> first
>> input, but i think i can add that without much trouble), or probably 
> can't
>> handle in any decent timerange (sorting might take a while for 
>> millions of records)
> This is a first draft of the formal requirements, so there might be things 
> that are impractical or not needed, in which case they should be removed.

actually it currently performs better than i myself expected (not nearly well
enough for something like .org, but good enough to be usable for, say, just to
name something, .se. Although any change in zone file would, as it is currently,
require the full six minutes :p)

>> RSA support is mentioned, but not RSAwithSHA1 and/or RSAwithMD5 (not
>> that I know
>> of anyone actually using that, but it might be good to at least make the
>> distinction, and we will know where to put SHA2 if that draft ever 
> reaches
>> publication)
> I'm replying to this email a bit late (sorry!), so I'm not certain what 
> version you refer to.  However, the current version does state ( 
> that RSA/SHA-1 MUST be supported and that RSA/SHA-256 SHOULD be supported 
> if introduced as an RFC.  Do we need to bother with RSA/MD5?

IIRC, the version i read only said RSA and nothing else, so my point is hereby
officially obsolete :)

> We could add a requirement to "2.3.2 Signing Process" stating that the 
> user should have the choice of leaving the SOA serial number unchanged, or 
> having the system set it to Unix time format (number of seconds since 
> 1-Jan-1970).  But:
> a) are there any other serial number formats that should be considered?

well, it shouldn't be hard to add them to the code if they come up later, but i
can't think of any at this time

> b) is it worth worrying about leap-seconds (where, theoretically, the time 
> could go back by a second)?

IMHO, no. Although if there is the slightest reason for this, i can add the same
logic to the timestamp-based format as i put in datecounter, ie.
if calculated_serial <= last_or_output_serial
then output_serial = last_output_serial + 1
(come to think of it, i might need to include the input serial in that check as

> c) is the year 2038 problem too far away to worry about now? (Remember 
> what they said about the Y2K problem back in the 1960s.)

that's one reason to use serial arithmetic, no? One corner case would then be if
someone would setup a zone with timestamp serials and a resign period of over 68
years btw :)

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-develop mailing list