[Opendnssec-develop] Auditor daemon

Jakob Schlyter jakob at kirei.se
Mon Aug 24 11:28:26 UTC 2009

> IMHO, the easiest way to handle this would be for the signer to always
> write the signed file to the auditor's directory and to always  
> invoke the
> auditor.  If the audit flag is absent, the auditor just moves the file
> from the auditor directory to the output directory.  It (marginally)
> simplifies the signer and means that only the auditor has to  
> interpret the
> auditor-related elements of the configuration file.

since the auditor is optional, I don't think this a good way forward.

I'd prefer the signer writes to signed/ and then notifies a running  
auditor if required. The auditor would audit the file and move it (or  
copy?) it to audited/ (configurable of course) if it passes the audit.  
if it doesn't get any notification from the signer it will scan for  
newly signed files anyway (since you cannot trust the signer to  
request auditing).

I'm just mapping how things works in the real work. you don't call  
your auditor, they appear from time to time and do their work. you  
might want to give them a hint you have new stuff to audit, but they  
still knock on your door as required by the policy.

at the same time, if you do not require auditing - you're not required  
to have an auditor for justing moving stuff.

we can discuss his more thursday perhaps,


More information about the Opendnssec-develop mailing list