[Opendnssec-develop] Auditor daemon

Patrik Wallstrom patrik.wallstrom at iis.se
Mon Aug 24 09:53:44 UTC 2009


On Aug 24, 2009, at 8:37 AM, Jakob Schlyter wrote:

> On 13 aug 2009, at 14.42, alexd at nominet.org.uk wrote:
>
>> I'm just looking at daemonizing the auditor. Then I realised I  
>> wasn't quite sure what was meant to happen...
>>
>> How often is the auditor meant to run in daemon form? Is this  
>> configurable?
>>
>> What should happen if the auditor daemon encounters errors in the  
>> signed zone? Is this configurable?
>
> currently we have the following directories for the file adapter:
>
> /var/opendnssec/  (i.e. @localstatedir@/opendnssec)
> 	unsigned/	the unsigned zone
> 	signed/		the signed zone
>
> would it perhaps make sense to add an audited/ directory and let the  
> daemonized auditor move files from signed/ to audited/ when a zone  
> has bee audited?
>
> this would perhaps change how we call the auditor from the signed  
> engine as well, just making <Audit/> in a signer configuration tell  
> the signer engine to run the signer explicitly on the file in  
> signed/ when the zone has been signed? (making the auditor run  
> explicitly rather than in batch)

I think this can be a bit confusing for the user. The Audit flag is in  
the KASP, but the directories are configured per zone. I still believe  
that the Audit flag belongs to the policy though, so having those  
directories configured per zone is not very clear if you add or remove  
the Audit from the policy. I hope you follow my reasoning here -  
because in the Audit case the signed directory is only a temp  
directory, and if not auditing is done it is the final destination.

Perhaps the chain always would be like this instead: unsigned ->  
(audit) -> signed. Then you always know the process.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090824/f3893a9a/attachment.bin>


More information about the Opendnssec-develop mailing list