[Opendnssec-develop] Config question
Jakob Schlyter
jakob at kirei.se
Tue Aug 4 08:23:08 UTC 2009
On 4 aug 2009, at 10.03, Alexd at nominet.org.uk wrote:
> I've been looking at Pivotal issue 1018973. I have some questions
> regarding the system configuration - sorry if the answers are
> written down; I couldn't find them.
>
> Currently, the auditor uses zonelist.xml to find the
> <zone_config>.xml files for each zone, and do the auditing. This is
> apparently not good.
>
> So, I can look at conf.xml, kasp.xml and zonelist.xml, and get most
> of the info from there. However, these files do not specify the salt
> - this is potentially added from the DB, and not stored anywhere
> other than <zone_config.xml>. So, I don't think it's possible to
> write the auditor without checking this file, unless the salt is
> queried directly from the DB.
>
> Should the auditor be checking the DB?
>
> Should the salt be stored somewhere the auditor can get it? Or
> should that be the only information lifted from <zone_config.xml>?
hmmm, you are correct. the salt is only to be found in the
SignerConfiguration...
as long as the policy is authoritative, I have no problem with looking
at the SignerConfiguration. i.e., only parameters that are not to be
found in the policy may be read from the SignerConfiguration. does
this make sense?
jakob
More information about the Opendnssec-develop
mailing list