[Opendnssec-develop] Multiple-view OpenDNSSEC thoughts
Rick van Rein
rick at openfortress.nl
Tue Mar 27 11:46:24 UTC 2012
Hello,
I've been thinking a bit about multiple-view options for OpenDNSSEC.
The question comes up every now and then, and we currently cannot
handle them in one instance. Applications are differing internal
and external views, or time-dependent replies e.g. for ENUM, or
perhaps IPv4 and IPv6 views for various transitioning techniques.
The principle problem as I understand it, is that the identity of
a signed zone in OpenDNSSEC matches that of a zone in DNS. Since
there is a possibility to provide various views on the latter, a
better identity for a signed zone in OpenDNSSEC would be a tuple
holding the zone's DNS name and some admin-picked label for the
view, so (zonename,viewlabel) or in XML:
<Zone name="example.com" view="intern">
<Policy .../>
<SignerConfiguration .../>
<Adapters>
<Input .../>
<Output .../>
</Adapters>
</Zone>
In non-XML prints, a default for the option view could be to not
print a view, but distinguish views with labels through an addition
like
Found Zone: example.com; view intern; on policy default
Found Zone: example.com; view extern; on policy default
The result of this identity-tuple would be that the zones are
treated entirely differently.
It is a matter of choice whether the same keys would be used, in
a sort of shared mode. This would avoid revealing keys for all
views to each user (saving bandwidth, and perhaps being more secure).
Any thoughts on this kind of facility?
Cheers,
-Rick
More information about the Opendnssec-develop
mailing list