[Opendnssec-develop] Multiple-view OpenDNSSEC thoughts

Rick van Rein rick at openfortress.nl
Tue Mar 27 11:46:24 UTC 2012


I've been thinking a bit about multiple-view options for OpenDNSSEC.
The question comes up every now and then, and we currently cannot
handle them in one instance.  Applications are differing internal
and external views, or time-dependent replies e.g. for ENUM, or
perhaps IPv4 and IPv6 views for various transitioning techniques.

The principle problem as I understand it, is that the identity of
a signed zone in OpenDNSSEC matches that of a zone in DNS.  Since
there is a possibility to provide various views on the latter, a
better identity for a signed zone in OpenDNSSEC would be a tuple
holding the zone's DNS name and some admin-picked label for the
view, so (zonename,viewlabel) or in XML:

	<Zone name="example.com" view="intern">
		<Policy .../>
		<SignerConfiguration .../>
			<Input .../>
			<Output .../>

In non-XML prints, a default for the option view could be to not
print a view, but distinguish views with labels through an addition

	Found Zone: example.com; view intern; on policy default
	Found Zone: example.com; view extern; on policy default

The result of this identity-tuple would be that the zones are
treated entirely differently.

It is a matter of choice whether the same keys would be used, in
a sort of shared mode.  This would avoid revealing keys for all
views to each user (saving bandwidth, and perhaps being more secure).

Any thoughts on this kind of facility?


More information about the Opendnssec-develop mailing list