[Opendnssec-develop] Auditor daemon

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Mon Aug 24 10:42:35 UTC 2009

Patrik Wallstrom <patrik.wallstrom at iis.se> wrote on 24/08/2009 10:53:44:

> > this would perhaps change how we call the auditor from the signed 
> > engine as well, just making <Audit/> in a signer configuration tell 
> > the signer engine to run the signer explicitly on the file in 
> > signed/ when the zone has been signed? (making the auditor run 
> > explicitly rather than in batch)
> I think this can be a bit confusing for the user. The Audit flag is in 
> the KASP, but the directories are configured per zone. I still believe 
> that the Audit flag belongs to the policy though, so having those 
> directories configured per zone is not very clear if you add or remove 
> the Audit from the policy. I hope you follow my reasoning here - 
> because in the Audit case the signed directory is only a temp 
> directory, and if not auditing is done it is the final destination.
> Perhaps the chain always would be like this instead: unsigned -> 
> (audit) -> signed. Then you always know the process.

IMHO, the easiest way to handle this would be for the signer to always 
write the signed file to the auditor's directory and to always invoke the 
auditor.  If the audit flag is absent, the auditor just moves the file 
from the auditor directory to the output directory.  It (marginally) 
simplifies the signer and means that only the auditor has to interpret the 
auditor-related elements of the configuration file.

"Rickard Bondesson" <rickard.bondesson at iis.se> wrote on 24/08/2009 

> Wasn't the idea to use the auditor in two modes?
> One mode where it is called by the Signer Engine to check the zone 
> sending it out from the system. This depends if you have <Audit/> in the 
> If <Audit />: unsigned -> Signer Engine -> Auditor -> signed
> If not <Audit />: unsigned -> Signer Engine -> signed
> So that auditor can stop the zone distribution in this case.
> The other case was an auditor daemon that runs regularly and checks the 
> It can only give warnings (to syslog or whatever), but not be able to 
stop the
> zone distribution.

The original idea was to have the auditor daemon run from a box able to 
look at the zone being published via production nameservers.  It should be 
able to warn about problems such as the signing process having failed or 
that the distribution from the primary had stopped (both of which result 
in published signatures approaching their expiration date).


More information about the Opendnssec-develop mailing list