[Opendnssec-develop] Auditor daemon
patrik.wallstrom at iis.se
Mon Aug 24 09:53:44 UTC 2009
On Aug 24, 2009, at 8:37 AM, Jakob Schlyter wrote:
> On 13 aug 2009, at 14.42, alexd at nominet.org.uk wrote:
>> I'm just looking at daemonizing the auditor. Then I realised I
>> wasn't quite sure what was meant to happen...
>> How often is the auditor meant to run in daemon form? Is this
>> What should happen if the auditor daemon encounters errors in the
>> signed zone? Is this configurable?
> currently we have the following directories for the file adapter:
> /var/opendnssec/ (i.e. @localstatedir@/opendnssec)
> unsigned/ the unsigned zone
> signed/ the signed zone
> would it perhaps make sense to add an audited/ directory and let the
> daemonized auditor move files from signed/ to audited/ when a zone
> has bee audited?
> this would perhaps change how we call the auditor from the signed
> engine as well, just making <Audit/> in a signer configuration tell
> the signer engine to run the signer explicitly on the file in
> signed/ when the zone has been signed? (making the auditor run
> explicitly rather than in batch)
I think this can be a bit confusing for the user. The Audit flag is in
the KASP, but the directories are configured per zone. I still believe
that the Audit flag belongs to the policy though, so having those
directories configured per zone is not very clear if you add or remove
the Audit from the policy. I hope you follow my reasoning here -
because in the Audit case the signed directory is only a temp
directory, and if not auditing is done it is the final destination.
Perhaps the chain always would be like this instead: unsigned ->
(audit) -> signed. Then you always know the process.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 194 bytes
Desc: This is a digitally signed message part
More information about the Opendnssec-develop