[Opendnssec-user] Description of individual OpenDNSSEC packages

Rick van Rein rick at openfortress.nl
Tue Feb 2 13:35:01 UTC 2010 

Hello Ondrej,

> Since documentation is scarce and I still don't have good
> understanding of what component does what,

Sorry about that.  We've recently worked hard to create manual pages,
which I felt as filling a big need.

> I would gladly accept help
> with writing short one line summary and longer descriptions.

Of course.

> {{{
> opendnssec-auditor
> 
> Description: tool to audit DNS signed zones according to local policy
>  OpenDNSSEC is a complete DNSSEC zone signing system which is very
>  easy to use with stability and security in mind.  There are a lot of
>  details in signing zone files with DNSSEC and OpenDNSSEC covers most
>  of it.

The policy details concern timing and security parameters.

>  This package contains OpenDNSSEC Auditor, which is a tool to check
>  whether DNSSEC signed zone complies to a local policy.  It is issued
>  automatically (unless disabled) after each resigning of a zone
>  and will stop the signed zone file from being distributed if any
>  error is found.

Perhaps add that it is an optional component as far as OpenDNSSEC is
concerned.  Many people seem to prefer to not use it.  This is why I
wondered a while back if it was going to be packaged separately; one
day, I think it will be included for auditing if-and-only-if an
auditor is installed.

> opendnssec-conf
> Description: common configuration files for OpenDNSSEC suite
>  OpenDNSSEC is a complete DNSSEC zone signing system which is very
>  easy to use with stability and security in mind.  There are a lot of
>  details in signing zone files with DNSSEC and OpenDNSSEC covers most
>  of it.

The recent version of these lyrics are a bit more accurate perhaps,
from http://trac.opendnssec.org/wiki/Signer/Using

OpenDNSSEC is a complete DNSSEC zone signing system which
maintains stability and security of signed domains. DNSSEC adds many
cryptographic concerns to DNS; OpenDNSSEC automates those to allow current DNS
administrators to adopt DNSSEC. This document provides DNS administrators with
the necessary information to get the system up and running with a basic
configuration.

This replacement would apply in multiple places, I think.  Especially
"covers most of it" is not ideal for guiding choices whether or not to
install the packages.

>  This package contains common configuration files.

NOTE: I don't understand why you'd package this separately, as it has
no real meaning on its own.  It always combines with the signer.

> libhsm
> Description: library for interfacing PKCS#11 Hardware Security Modules
>  OpenDNSSEC is a complete DNSSEC zone signing system which is very
>  easy to use with stability and security in mind.  There are a lot of
>  details in signing zone files with DNSSEC and OpenDNSSEC covers most
>  of it.
>  .
>  Support library for interfacing PKCS#11 compatible Hardware Security
> Modules (HSM).
>  This library allows programs to use cryptografic secure storages for
> keying material
>  such as softhsm (HSM implemented in software), SCA6000, Aladdin eToken, OpenSC,
>  nCipher or AEP Keyper.

It is common use to write a space after PKCS.

> opendnssec-enforcer
> Description: DNSSEC Key and Signature Policy enforcing daemon
>  OpenDNSSEC is a complete DNSSEC zone signing system which is very
>  easy to use with stability and security in mind.  There are a lot of
>  details in signing zone files with DNSSEC and OpenDNSSEC covers most
>  of it.
>  .
>  This package contains daemon which generates DNSSEC key material
>  and communicate with OpenDNSSEC signing daemon.

The daemon contained in this package enforces the timing and security
parameters of DNSSEC policies as specified for each zone.  It will
schedule and execute key generation on an HSM, and it will schedule
the task queue for the signer daemon.

NOTE: I don't understand why you'd package this separately, as it has
no real meaning on its own.  It always combines with the signer.

> opendnssec-signer
> 
> Description: DNSSEC signer engine for OpenDNSSEC
>  OpenDNSSEC is a complete DNSSEC zone signing system which is very
>  easy to use with stability and security in mind.  There are a lot of
>  details in signing zone files with DNSSEC and OpenDNSSEC covers most
>  of it.
>  .
>  The task of the signer engine is to schedule signing operation on DNS zones.
>  Taking input from the KASP, it will automatically sign zones and keep their
>  signatures up-to-date.

"schedule and execute".

NOTE: I don't understand why you'd package this separately, as it has
no real meaning on its own.  It always combines with the signer.


Hope this helps,


Cheers,
 -Rick

More information about the Opendnssec-user mailing list