[Opendnssec-user] Replacement for auditor in 1.4.0
Rick van Rein
rick at openfortress.nl
Thu Mar 8 11:59:51 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
> > But, hum, how can a tool like validns know things the auditor did,
>
> Just parse the signconf.xml
You'd be checking up on a tool, but at the same time trusing it?
My response would've been "just look in authoritative DNS for its
current state". The tedious and cautious thing to do would be to
look at _all_ authoritative DNS servers to be certain that a RR
is either available or absent on all.
For most things, availability on all authoritative DNS servers
_and_ the new zone data would function to ensure that a signature
will go through.
I can see one exception to this, namely when multiple signing
algorithms are used. Algorithms would be triggered when available
on _some_ authoritative DNS server _or_ the new zone data. This
would trigger a validation in which all signing algorithms must
individually succeed, as stated in the RFCs.
The combination is quite tight: if either version of the zone data
refers to an algorithm, then all versions of the zone data must hold
the key/signature material to verify it.
- -Rick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: New to PGP? http://openfortress.nl/doc/essay/OpenPGP/index.nl.html
iEYEARECAAYFAk9YnzcACgkQFBGpwol1RgaKPACfYn+n8CG+C3ck6J548UB8Fymz
X2UAoI22J8zTlADMiR3idmgiySa9Upsn
=3Aew
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list