[Opendnssec-develop] Auditor daemon
Rickard Bondesson
rickard.bondesson at iis.se
Mon Aug 24 10:08:32 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> > Perhaps the chain always would be like this instead: unsigned ->
> > (audit) -> signed. Then you always know the process.
>
> I agree, but in this case the auditor never has to run as a
> daemon, right?
Wasn't the idea to use the auditor in two modes?
One mode where it is called by the Signer Engine to check the zone before sending it out from the system. This depends if you have <Audit/> in the KASP.
If <Audit />: unsigned -> Signer Engine -> Auditor -> signed
If not <Audit />: unsigned -> Signer Engine -> signed
So that auditor can stop the zone distribution in this case.
The other case was an auditor daemon that runs regularly and checks the zones. It can only give warnings (to syslog or whatever), but not be able to stop the zone distribution.
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSpJmoOCjgaNTdVjaAQi+swf+Lgiz/4ef2YGAm7Sf6c0c2I/RVUl8jLBL
XQSEMAQtik8zyv8lBMiwgUigO1RUkfTEfYu3e6XfaPqkYiscqVld2vhVReodCf8h
C0UTLZuM3He/JoNE88gXBcHNYtAh6cTUwDzhOJDi6FhBxnqoE2eXeUCW/4QXakI5
n8hkUToLe/Sm7ZIJHChBoH1cZqSpda3ZvPsOU4gv1YHtM2JDmjdbWSkGwc4KXc7f
XJKU3mEzC/1q+4Hk91acQJrbGOvYG8gr2fwYy6RnCZ8BU7EcFcvjMDUQiyqXBdjv
qU6M7c1fMhklYLdBJjqXzASbGGBbIKp6l0uFlfbJnU4wRw4It6tEeA==
=xOTs
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list