[Opendnssec-develop] KSK Rollovers

Ray.Bellis at nominet.org.uk Ray.Bellis at nominet.org.uk
Fri Jul 3 13:10:58 UTC 2009


> Instead,
> could KASP or the signer log the information in syslog? If this is 
> in the form of an easily identifiable message, the user's systems 
> could intercept those messages and automatically generate an EPP 
> request to the parent.  (Which leads to a definition question: 
> should it be KASP or should it be the signer that generates the 
message?) 

I'm personally not in favour of using syslog for this sort of thing.

Primarily syslog is designed as a logging mechanism, not as an IPC 
mechanism.  It's not designed to be 100% secure or reliable (although 
newer versions do attempt to address this).

My preference would be for KASP to automatically invoke (end-user 
specified) programs as necessary, so that EPP and/or whatever else can be 
supplied by third parties.

Alternately use a reliable IPC mechanism (such as a specific named-pipe) 
that's dedicated for KASP's use, and not shared with any other part of the 
system.

Ray

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090703/a4c20b0b/attachment.htm>


More information about the Opendnssec-develop mailing list