[Opendnssec-develop] kasp draft
matthijs at nlnetlabs.nl
Mon Jul 28 09:10:21 UTC 2014
On 07/15/2014 10:52 AM, Siôn Lloyd wrote:
> "a policy MUST have the containers Signatures, Denial, Keys, Zone and
> This is only true for a policy that can control a key rollover; If all I
> want is to describe the signing part then "Parent" becomes optional. I
> guess this is the same as Yuri's comment?
Similar. Yuri's point is if everything in a container is optional. I
think a KASP should always describe how to do a key rollover by the way.
> Jitter - I'm not sure that there is a need to define the jitter
> algorithm... I can have jitter that only increases signature lifetimes
> (i.e. r * j) and it is still just as valid. The algorithm could be given
> as an example.
I think we do want to define the algorithm: So that if the policy is
used in a different implementation, you can expect the same behavior.
> Can Resalt be PT0S? If so what does this mean?
Do not resalt.
> Can SaltLength be 0?
> (In general by integer you mean positive integer; possibly including
> zero? This is all explicit in the current kasp.rnc)
Good point. Have to check. Added an issue for that:
> Does Repository need to be mandatory? Is this only the case if the
> signer uses PKCS11 (I'm not sure of the answer to this; but e.g. "keys
> on disc" would need a path instead).
If Repository can be anything else than a HSM, like Jerry said, then
this may affect the policy model. Thinking twice: probably not, because
in KASP we reference to a Repository identifier string.
Thanks for the comments!
> On 04/07/14 14:23, Matthijs Mekking wrote:
>> On 07/04/2014 03:15 PM, Yuri Schaeffer wrote:
>>>> We would like to hear your opinions about this and get your
>>> 1) 18.104.22.168
>>> The choice and case modeling types are not included in the actual
>>> data tree. In the case that NSEC is used, the XML example would be:
>>> I don't understand what 'choice and case modeling types' are.
>> Its YANG language (RFC 6020). Basically you specify in your model that
>> you have a choice: Either the schema contains <this> or the schema
>> contains <that>. You cannot have both <this> and <that> at the same
>> time. A case modeling type is a choice option so to say.
>>> 2) 22.214.171.124. Zone
>>> 3. Serial - The format of the serial number in the signed zone.
>>> This is one of: "counter", datecounter, unixtime, keep.
>>> Perhaps Serial should not be defined as a string but rather a type
>>> that has one of the above values.
>> I was thinking of that too. I'll add that as an issue to be resolved.
>>> 3) 126.96.36.199
>>> It is unclear which values in the Zone>SOA container are optional.
>> Ok, I'll take a look.
>>> 4) If everything in the parent container is optional, why MUST we have
>>> a parent container?
>> This can probably be a MAY. We started with kasp.rnc with this document
>> and then relaxed some rules.
>> I created issues for these in github:
>> Thanks Yuri!
>> Best regards,
>>> Opendnssec-develop mailing list
>>> Opendnssec-develop at lists.opendnssec.org
>> Opendnssec-develop mailing list
>> Opendnssec-develop at lists.opendnssec.org
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
More information about the Opendnssec-develop