[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

Jerry Lundström jerry at opendnssec.org
Thu Sep 19 14:28:40 UTC 2013

On Sep 19, 2013, at 16:03 , John Dickinson wrote:

> I have not had time to look at LIM, so this may be a stupid comment…

It's Lim not LIM, its not an acronym. Just the swedish word for glue. All comments are welcomed.

> IMHO: This kind of makes some of the enforcer pointless if an external mgmt. app is doing the key rollover (even more so in v2 ????). I would imagine that most operators would prefer a active-active system where the two enforcers communicate state to each other and both signers act as masters for the zones. I do realise that this might be a lot more work :)

The whole idea behind Lim, and the plugins that I've made, is that it is A LOT more work to redesign and develop OpenDNSSEC to have internal support for active-active solutions then to just put something on top of OpenDNSSEC.

As the API plugins for OpenDNSSEC and SoftHSM are complete I am now working on something that will manage these applications.

I do not think operators will care what layer is doing the active-active solution as long as there is one and this plugin that I'm developing now will take care of all this. And I want to do this with ONLY using the tools that come with OpenDNSSEC and SoftHSM because otherwise you are essentially hacking the program and creating very hard to manage dependancies (you would not edit a MySQL database file by hand just because you can, now would you?).

> Out of interest, has there been any architecture discussion for this kind of functionality? I could not find it…

For OpenDNSSEC's part, no, there has not been any discussion of this kind. Theres only been a API/CLI discussion.

For Lim's part or rather the plugin I am developing now (Lim is really just a framework, it does not do anything on its own), not really. This work isn't really a part of OpenDNSSEC per say. I welcome the discussion but I have no material to present, right now I am just testing my way forward.


Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130919/341e1ef6/attachment.bin>

More information about the Opendnssec-develop mailing list