<font size=2 face="sans-serif">Following up from our discussion about
the auditor yesterday, this is a description of what I think it should
be doing:</font>
<br>
<br><font size=2 face="sans-serif">a. The auditor is an quality check in
the OpenDNSSEC signing process to ensure that incorrect or out of date
signed data is not inadvertently loaded into production nameservers. It
is run by the signer engine once the zone file has been signed and checks
the signed file against the unsigned file (and against the policy) to ensure
that the signer has done its work correctly. If the auditor does
not detect a problem, the signed zone file can be loaded. To ensure
that the process is a proper quality check, the auditor has been coded
by a different programmer to that of the signer and in a different language.
However, both the signer and the auditor have a dependency on the
OpenSSL library.</font>
<br>
<br><font size=2 face="sans-serif">The auditor is an optional component
of OpenDNSSEC and the configuration file can specify that it not be run.
If the auditor _is_ configured to run, the signer writes its output
to an auditor directory and the auditor, on successful completion of the
audit, moves it to the "signed" directory. If the auditor
_is not_ configured to run, the signer writes its output directly to the
"signed" directory.</font>
<br>
<br><font size=2 face="sans-serif">Notes:</font>
<br><font size=2 face="sans-serif">i) The writing of the output file by
the signer should be a two-stage process - write to a temporary file then
rename. Such a scheme ensure that a valid signed file is not replaced
by an incomplete one should the signer fail.</font>
<br><font size=2 face="sans-serif">ii) Can we agree to rename "signer
engine" to something like the "scheduler"? As it is
responsible for initiating the auditor, I think the name is more accurate
and will lead to less confusion.</font>
<br>
<br>
<br><font size=2 face="sans-serif">b. The monitor is a daemon that runs
on a system that can see the public nameservers for the zone and does consistency
checks on the data retrieved from them. As such, it shares much of
the code of the auditor and has been referred to as the "auditor daemon"
(a name I think we should no longer use). Its primary purpose is to check
signature lifetimes to see if any are approaching their expiration date
- if some are, it could indicate that either the signer is not running
or that the distribution of zone data to the secondaries has been interrupted.
It should also do other consistency checks (e.g. checking that the
KSK has a DS record in the parent zone), which may include extensive checking
of zone data should it have a copy of the input zone file or list of names
in the zone.</font>
<br>
<br>
<br><font size=2 face="sans-serif">Stephen</font>