[Opendnssec-develop] Role of the Auditor

Jakob Schlyter jakob at kirei.se
Fri Aug 28 12:51:51 UTC 2009

On 28 aug 2009, at 14.46, Stephen.Morris at nominet.org.uk wrote:

> a. The auditor is an quality check in the OpenDNSSEC signing process  
> to ensure that incorrect or out of date signed data is not  
> inadvertently loaded into production nameservers.  It is run by the  
> signer engine once the zone file has been signed and checks the  
> signed file against the unsigned file (and against the policy) to  
> ensure that the signer has done its work correctly.   If the auditor  
> does not detect a problem, the signed zone file can be loaded.  To  
> ensure that the process is a proper quality check, the auditor has  
> been coded by a different programmer to that of the signer and in a  
> different language.

I agree.

>  However, both the signer and the auditor have a dependency on the  
> OpenSSL library.

no, they don't - the signer does not use code from OpenSSL. the  
auditor does though.

> The auditor is an optional component of OpenDNSSEC and the  
> configuration file can specify that it not be run.  If the auditor  
> _is_ configured to run, the signer writes its output to an auditor  
> directory and the auditor, on successful completion of the audit,  
> moves it to the "signed" directory.  If the auditor _is not_  
> configured to run, the signer writes its output directly to the  
> "signed" directory.


> Notes:
> i) The writing of the output file by the signer should be a two- 
> stage process - write to a temporary file then rename.  Such a  
> scheme ensure that a valid signed file is not replaced by an  
> incomplete one should the signer fail.
> ii) Can we agree to rename "signer engine" to something like the  
> "scheduler"?  As it is responsible for initiating the auditor, I  
> think the name is more accurate and will lead to less confusion.

the signer engine is the component that drives the signing process -  
see http://svn.opendnssec.org/docs/dnssec-signer-arch-detail.png.

I have some more diagrams how this will look in v2 when we integrate  
adapters, signer engine and all its components - will post them to the  
repo shortly.

> b. The monitor is a daemon that runs on a system that can see the  
> public nameservers for the zone and does consistency checks on the  
> data retrieved from them.  As such, it shares much of the code of  
> the auditor and has been referred to as the "auditor daemon" (a name  
> I think we should no longer use). Its primary purpose is to check  
> signature lifetimes to see if any are approaching their expiration  
> date - if some are, it could indicate that either the signer is not  
> running or that the distribution of zone data to the secondaries has  
> been interrupted.  It should also do other consistency checks (e.g.  
> checking that the KSK has a DS record in the parent zone), which may  
> include extensive checking of zone data should it have a copy of the  
> input zone file or list of names in the zone.

yes, and the monitor has not yet been written.


More information about the Opendnssec-develop mailing list