[Opendnssec-develop] Passing through signed zones

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jun 13 14:58:22 UTC 2013

On 06/13/2013 04:43 PM, Rick van Rein (OpenFortress) wrote:
> Hallo,
>> We have this issue for passing through unsigned zones:
> You must mean "for passing zones without adding signatures".
> The zone might already be signed of course.

Well, if we are going to nitpick :-p: The issue is for passing through
unsigned zones. And yes, we also want to support passing though signed

>> The user should configure in the zonelist.xml if a zone should be passed
>> through by using a special name:
>>    <Policy>passthrough</Policy>
> I assume this is a user-picked name that suggests to them what they mean, but that the name is not, as Jakob assumed from this text, in any way special.

The suggestion it was a special name (hence the suggestion ods-kaspcheck
should check for it). <Passthrough/> might be better.

> I assume the real configuration would come down to setting no cryptographic configuration, or explicitly selecting a null or passthrough mechanism for signing/keying?

The first would conflict with zones that go through unsigned gradually.
Explicitly selecting passthrough is probably the way to go.

>> Con:
>  - Temporary passthrough signatures, such as during a zone migration between vendors, could end up requiring a change of signing policy.  You might not be prepared to support that.

I need more information on what you exactly mean. What do you mean with
vendors? Different DNS operators? Different tooling?

The comment does make me realize that we might have to think about
gradually switching between passtrough and a kasp policy.

Best regards,

>> What do you think?
> I think it's wonderful that this is being added.  I've missed it for a long time.

> -Rick

More information about the Opendnssec-develop mailing list