[Opendnssec-develop] engine proof-of-concept

Jelte Jansen jelte at NLnetLabs.nl
Fri Jan 30 12:49:41 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

> Author: jelte
> Date: 2009-01-30 13:46:34 +0100 (Fri, 30 Jan 2009)
> New Revision: 120
>
> Log:
> proof-of-proof-of-concept-concept for a signing engine, see README

from the README:

what i just committed is a very crude, quickly hacked-together proof-of-concept
of the proof-of-concept i had in mind; a python-based 'engine' that keeps track
of signing intervals and resigns the zones.

it does not do kasp interaction, nor pkcs11, or even configuration loading at
the moment, every setting must be set trough the command channel (either 'telnet
localhost 47806' or engine_cli.py)

there is not much in the form of error checking, the thread locking needs work,
and if something goes wrong, it will mangle the signed zone files. It will also
fail horribly when too many zones are configured, because it will run out of
file descriptors when it does its process pipe magic.

It might very well not work at all ;)

to run it you must have a compiled version of ldns trunk in your LD_LIBRARY_PATH
(DY_LD_LIBRARY_PATH on OSX), and (re)compiled the trunk version of the signer
tools. Paths it uses are relative, so the engine will only work if it is run
from its own directory.

to create the test zones you'll also need the ldns tools in your PATH

To create a test setup:

cd <opendnssec repos>/signer_engine/test
./create.pl

This creates an some test zones and an init script that can be run through the
cli to set up those zones with a resign interval of 60 seconds.

To run the engine:
cd <opendnssec repos>/signer_engine
./engine.py

To add the test zones you just created:
cd <opendnssec repos>/signer_engine
cat test/init_script | ./engine_cli.py


If you stop it, restart it, and run the init_script through the cli again, it
should recognize which zones need resigning based upon their modified time.

Let me know if it works, and what you think. If people like this direction, I
can expand on the concept and make something that might actually be usable.

Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmC92UACgkQ4nZCKsdOncXVowCg1PWE8CemZ0XYGmoeP9m32RXE
bWEAoMkAUi1xYykXYgOAIIOCtS/opxT1
=pZUv
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list