[Opendnssec-develop] Enforcer engine
Yuri Schaeffer
yuri at NLnetLabs.nl
Mon Jun 6 15:05:13 UTC 2011
Hi,
As stated in last (enforcer) teleconf, I was not completely happy about
the model. Last Friday night I decided sleep wasn't all that important
and came up with an alternative. I want to share it with you before a
next meeting, therefore I hastily compiled the attached document. It's a
bit rough on the edges so to say... sorry.
as far as I can see at has a couple of advantages in comparison with my
previous design:
- simpler to implement
- computationally far less complex (no nested 'exists' loops)
- explicit state for RRSIG DNSKEY (for better 5011 support)
- and no mapping to signer configuration required.
- 'smooth transitions' by design
- self repairing to some extent
- Less (no) logical difference between ksk and zsk
- no need for NULL keys to switch between a signed and an unsigned zone
The design needs a little bit of tweaking before it's perfect. Also
attached is a python proof of concept. Undocumented of course. call with
'python prototype.py 2>/dev/null' for less debugging information.
doc and code can also be found in svn on home/yuri/enforcer_model2
//Yuri
--
Yuri Schaeffer
NLnet Labs
http://www.nlnetlabs.nl
-------------- next part --------------
A non-text attachment was scrubbed...
Name: enforcer_rules.pdf
Type: application/pdf
Size: 125136 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20110606/a2e97791/attachment.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: prototype.py
Type: text/x-python
Size: 4635 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20110606/a2e97791/attachment.py>
More information about the Opendnssec-develop
mailing list