[Opendnssec-develop] Passing through signed zones

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jun 13 13:46:17 UTC 2013

Hi devs,

We have this issue for passing through unsigned zones:


But we probably also want to support passing though signed zones. Our
current solution only works for unsigned zones. Yuri and I have been
discussing and we want to propose the following solution for passing
through both types of zones:

The user should configure in the zonelist.xml if a zone should be passed
through by using a special name:


ods-kaspcheck should check that kasp.xml does not contain a policy with
that name. <SignerConfiguration> is ignored.*

If a zone is configured with such a policy name, the enforcer won't
create keys and signer configuration, the signer will not change zone

- If you want to schedule a zone in for signing (in other words, no more
pass-through, sign with opendnssec) it is just a matter of changing the
policy name to one of the (existing) policies and run the update commands.
- You can have unsigned and signed zones under your control and unsigned
and signed zones not under your control go through the same signing

- Hijacking a policy name is a bit ugly. On the other hand, having to
specifically mention this zone should be passed through makes it less
likely that users configure this unintentionally. Alternatively, we
could use a new zonelist.xml option <Pass-through/>.

What do you think?

Best regards,

* Yuri and I have discussed that <SignerConfiguration> should not be
there in case of the policy is "passthrough", but I think ignoring is
better: In case you change it to a kasp, it takes less configuration
changes to make.

More information about the Opendnssec-develop mailing list