IETF Logo Mail Archive

Re: Summary: What to do with expired signatures

"Olaf M. Kolkman" <olaf@ripe.net> Wed, 13 February 2002 08:46 UTC

Received: from psg.com (exim@psg.com [147.28.0.62]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id DAA23593 for <dnsext-archive@lists.ietf.org>; Wed, 13 Feb 2002 03:46:31 -0500 (EST)
Received: from lserv by psg.com with local (Exim 3.33 #1) id 16auqS-0003bH-00 for namedroppers-data@psg.com; Wed, 13 Feb 2002 00:32:52 -0800
Received: from birch.ripe.net ([193.0.1.96]) by psg.com with esmtp (Exim 3.33 #1) id 16auqR-0003bB-00 for namedroppers@ops.ietf.org; Wed, 13 Feb 2002 00:32:51 -0800
Received: from x50 (x50.ripe.net [193.0.1.50]) by birch.ripe.net (8.11.6/8.11.6) with SMTP id g1D8WiN06205; Wed, 13 Feb 2002 09:32:44 +0100
Date: Wed, 13 Feb 2002 09:32:43 +0100
From: "Olaf M. Kolkman" <olaf@ripe.net>
To: Jim Reid <Jim.Reid@nominum.com>
Cc: lewis@tislabs.com, paul@vix.com, namedroppers@ops.ietf.org
Subject: Re: Summary: What to do with expired signatures
Message-Id: <20020213093243.0ca11b52.olaf@ripe.net>
In-Reply-To: <41600.1013530810@shell.nominum.com>
References: <v03130303b88eec7b4996@[192.35.165.115]> <41600.1013530810@shell.nominum.com>
Organization: RIPE NCC
X-Mailer: Sylpheed version 0.7.0 (GTK+ 1.2.9; i686-pc-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"
Content-Transfer-Encoding: 7bit
Sender: owner-namedroppers@ops.ietf.org
Precedence: bulk
Content-Transfer-Encoding: 7bit

On Tue, 12 Feb 2002 08:20:10 -0800
Jim Reid <Jim.Reid@nominum.com> wrote:

> >>>>> "Edward" == Edward Lewis <lewis@tislabs.com> writes:
> 
>     Edward> Given that there is but one testbable
>     Edward> implementation of RFC 2535, it has become easy to confuse
>     Edward> that implementation with the protocol.
> 
> Doesn't Olaf's Perl version of 2535 qualify as a second implementation?
> IIRC it found a bug in the BIND footprint calculation.
> 

FYI:

I have added the SIG, KEY, NXT and DS classes to Net::DNS that means
you can read these records from a zone file and 'translate' them into
wireformat and vice verse. Off course wire-wire is also possible :-).

The SIG class has methods to create RSA and DSA signatures using keys
generated by the bind tools but does not use the openssl
libraries. The SIG class also can verify signatures, made by bind
signer's and itself.

The DS class has a create method that creates a DS RR from a given
key.

The (original) Net::DNS packet had resolver functionality and there is
some server functionality in the 0.19 alpha version. 


I am working on a Zone object that can be used as to build a server in
perl but that is still pre-alpha. (If you are interested in playing
with it please contact me). 

As for the verifying resolver: all the classes to build such a thing
are there but it does need to be done. As soon as there is a server
that does DS-style serving and/or I have some time I will to make
a verifying resolver using the perl tools.


--Olaf

"Original" Net::DNS on http://www.fuhr.org/~mfuhr/perldns/  

DNSSEC extensions are build against the 0.19 development version of
Net::DNS and can be found on: 
http://www.ripe.net/disi/SRC/Net-DNS-0.19-DNSSEC-0.5.tar.gz



--------------------------------------------| Olaf M. Kolkman
                                            | www.ripe.net/disi


to unsubscribe send a message to namedroppers-request@ops.ietf.org with
the word 'unsubscribe' in a single line as the message text body.
archive: <http://ops.ietf.org/lists/namedroppers/>

v2.40.3 | Report a Bug | By Email | System Status