[Opendnssec-develop] Passing through signed zones
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jun 13 13:46:17 UTC 2013
Hi devs,
We have this issue for passing through unsigned zones:
https://issues.opendnssec.org/browse/OPENDNSSEC-138
But we probably also want to support passing though signed zones. Our
current solution only works for unsigned zones. Yuri and I have been
discussing and we want to propose the following solution for passing
through both types of zones:
The user should configure in the zonelist.xml if a zone should be passed
through by using a special name:
<Policy>passthrough</Policy>
ods-kaspcheck should check that kasp.xml does not contain a policy with
that name. <SignerConfiguration> is ignored.*
If a zone is configured with such a policy name, the enforcer won't
create keys and signer configuration, the signer will not change zone
contents.
Pro:
- If you want to schedule a zone in for signing (in other words, no more
pass-through, sign with opendnssec) it is just a matter of changing the
policy name to one of the (existing) policies and run the update commands.
- You can have unsigned and signed zones under your control and unsigned
and signed zones not under your control go through the same signing
infrastructure.
Con:
- Hijacking a policy name is a bit ugly. On the other hand, having to
specifically mention this zone should be passed through makes it less
likely that users configure this unintentionally. Alternatively, we
could use a new zonelist.xml option <Pass-through/>.
What do you think?
Best regards,
Matthijs
* Yuri and I have discussed that <SignerConfiguration> should not be
there in case of the policy is "passthrough", but I think ignoring is
better: In case you change it to a kasp, it takes less configuration
changes to make.
More information about the Opendnssec-develop
mailing list