[Opendnssec-develop] engine config for auditing
Jelte Jansen
jelte at NLnetLabs.nl
Tue Jul 14 11:01:43 UTC 2009
(resend, forgot -to-all when pressing reply)
Jakob Schlyter wrote:
> On 14 jul 2009, at 12.54, Jelte Jansen wrote:
>
>> putting it in zone_config.xml would be most logical (for now i read
>> it from zonelist.xml, but it's not a hard change).
>
> logical for whom? not from an auditing/security policy perspective.
> when a given policy is set you also - as part of the policy - specify
> how it should be audited. so per design, IMHO, that's where the
> auditing configuration should be.
>
>> But wasn't automatic auditing one of the hard requirements for alpha?
>
> true. I say we do <audit/> in the kasp for now and let that propate
> into the signconf in cases where the signer is asked to requets an
> audit. ok?
>
sorry, i'm only talking from the point of view of the engine, so how the
kasp knows whether to put <Audit/> in the config was not considered yet
in my message. So we seem to agree :)
More information about the Opendnssec-develop
mailing list