[Opendnssec-develop] Config question

Jakob Schlyter jakob at kirei.se
Tue Aug 4 08:23:08 UTC 2009

On 4 aug 2009, at 10.03, Alexd at nominet.org.uk wrote:

> I've been looking at Pivotal issue 1018973. I have some questions  
> regarding the system configuration - sorry if the answers are  
> written down; I couldn't find them.
> Currently, the auditor uses zonelist.xml to find the  
> <zone_config>.xml files for each zone, and do the auditing. This is  
> apparently not good.
> So, I can look at conf.xml, kasp.xml and zonelist.xml, and get most  
> of the info from there. However, these files do not specify the salt  
> - this is potentially added from the DB, and not stored anywhere  
> other than <zone_config.xml>. So, I don't think it's possible to  
> write the auditor without checking this file, unless the salt is  
> queried directly from the DB.
> Should the auditor be checking the DB?
> Should the salt be stored somewhere the auditor can get it? Or  
> should that be the only information lifted from <zone_config.xml>?

hmmm, you are correct. the salt is only to be found in the  
as long as the policy is authoritative, I have no problem with looking  
at the SignerConfiguration. i.e., only parameters that are not to be  
found in the policy may be read from the SignerConfiguration. does  
this make sense?


More information about the Opendnssec-develop mailing list