[Opendnssec-develop] Auditor daemon
Jakob Schlyter
jakob at kirei.se
Mon Aug 24 11:28:26 UTC 2009
> IMHO, the easiest way to handle this would be for the signer to always
> write the signed file to the auditor's directory and to always
> invoke the
> auditor. If the audit flag is absent, the auditor just moves the file
> from the auditor directory to the output directory. It (marginally)
> simplifies the signer and means that only the auditor has to
> interpret the
> auditor-related elements of the configuration file.
since the auditor is optional, I don't think this a good way forward.
I'd prefer the signer writes to signed/ and then notifies a running
auditor if required. The auditor would audit the file and move it (or
copy?) it to audited/ (configurable of course) if it passes the audit.
if it doesn't get any notification from the signer it will scan for
newly signed files anyway (since you cannot trust the signer to
request auditing).
I'm just mapping how things works in the real work. you don't call
your auditor, they appear from time to time and do their work. you
might want to give them a hint you have new stuff to audit, but they
still knock on your door as required by the policy.
at the same time, if you do not require auditing - you're not required
to have an auditor for justing moving stuff.
we can discuss his more thursday perhaps,
jakob
More information about the Opendnssec-develop
mailing list