[Opendnssec-develop] Auditor daemon
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Mon Aug 24 10:42:35 UTC 2009
Patrik Wallstrom <patrik.wallstrom at iis.se> wrote on 24/08/2009 10:53:44:
> > this would perhaps change how we call the auditor from the signed
> > engine as well, just making <Audit/> in a signer configuration tell
> > the signer engine to run the signer explicitly on the file in
> > signed/ when the zone has been signed? (making the auditor run
> > explicitly rather than in batch)
>
> I think this can be a bit confusing for the user. The Audit flag is in
> the KASP, but the directories are configured per zone. I still believe
> that the Audit flag belongs to the policy though, so having those
> directories configured per zone is not very clear if you add or remove
> the Audit from the policy. I hope you follow my reasoning here -
> because in the Audit case the signed directory is only a temp
> directory, and if not auditing is done it is the final destination.
>
> Perhaps the chain always would be like this instead: unsigned ->
> (audit) -> signed. Then you always know the process.
IMHO, the easiest way to handle this would be for the signer to always
write the signed file to the auditor's directory and to always invoke the
auditor. If the audit flag is absent, the auditor just moves the file
from the auditor directory to the output directory. It (marginally)
simplifies the signer and means that only the auditor has to interpret the
auditor-related elements of the configuration file.
"Rickard Bondesson" <rickard.bondesson at iis.se> wrote on 24/08/2009
11:08:32:
> Wasn't the idea to use the auditor in two modes?
>
> One mode where it is called by the Signer Engine to check the zone
before
> sending it out from the system. This depends if you have <Audit/> in the
KASP.
> If <Audit />: unsigned -> Signer Engine -> Auditor -> signed
> If not <Audit />: unsigned -> Signer Engine -> signed
>
> So that auditor can stop the zone distribution in this case.
>
> The other case was an auditor daemon that runs regularly and checks the
zones.
> It can only give warnings (to syslog or whatever), but not be able to
stop the
> zone distribution.
The original idea was to have the auditor daemon run from a box able to
look at the zone being published via production nameservers. It should be
able to warn about problems such as the signing process having failed or
that the distribution from the primary had stopped (both of which result
in published signatures approaching their expiration date).
Stephen
More information about the Opendnssec-develop
mailing list