This covers core functionality, no twiddles.
Zone signing
✅ Signing NSEC/NSEC3 RRSets on the first run (see #103 (closed))
✅ Signing SOA (see #103 (closed))
✅ Removing standalone RRSIGs
✅ Removing standalone NSECs (and their RRSIGs)
✅ Merged branch-1.4prep (with dname-refactor) => RRSets should be ordered now
✅ In delegation points, sign only DS and NSEC, in non-authoritative nodes sign nothing @jkadlec
✅ Add 'force sign' functionality
✅ Add validity check function for supported signature families @jvcelak
Key management
✅ Searching for keys in keydir requires 'K' at the beginning and '.private' at the end of the filename. Discuss what is the best solution (no name checking?) and modify. @jvcelak
✅ Now it's required that all DNSKEY records are inserted into the zone by hand before signing. Knot does not add any of the keys used for signing but does not check if all keys loaded from keydir are already in the zone file. Thus it may happen that the zone is signed by more/less keys than present in the zonefile. Think of and discuss a better solution (use all keys, but add the missing ones to the zone / use only those that are present in the zone file / something else). @jvcelak
✅ The DNSKEYs inserted in zone are not checked either, so it may happen that the key in the zone is not the one the zone is signed with. @jvcelak
✅ Determining whether to sign with NSEC3 is now done by detecting NSEC3PARAM record in the zone, maybe it could be done by distinguishing the key algorithm code? @jvcelak
✅ Configurable signing policy (at least globally, at least signature life time) @lslovak
TODOs until 1.4.0
✅ Writing used keys to the zone. @jvcelak
✅ Fix signature validity check - the signature cannot be generated again, it would not work with DSA. @jvcelak
✅ Do not allow keys with identical keytags. @jvcelak
✅ Find out how does BIND behave with automatic signing after load and reload. @jkadlec
✅ What about multiple NSEC3 chains - find if there is some use case and how the server should behave. @lslovak
✅ Check removing standalone NSECs at parents of wildcard nodes. @lslovak
✅ Update user manual with info about DNSSEC - mention it as an experimental feature. @jvcelak
✅ Turn on signing after DDNS (resign whole zone for now, we'll not have time for a better solution for now) @jkadlec
✅ Fix NSEC generation - not all nodes need NSEC, reconnect NSEC chains after removal @jkadlec
✅ Find out if NSEC3 suffers from the problem above (probably not) @jkadlec
✅ Plan zone resigning, sign the whole zone for now @jkadlec
✅ Key algorithm must be compatible with used NSEC version @jvcelak
✅ Check whether the zone data lock in zone_dnssec_ev() is necessary. @mvavrusa
TODOs after 1.4.0
⌛ What about Opt-out? How is it managed in BIND (in the server and in the signzone utility), how is it configured?
⌛ Write ideas about complex key management, automatic rollover, etc. @jvcelak
⌛ Think about clever signing of modified parts of zone after dynamic update and for zone resigning.