[Opendnssec-develop] engine config for auditing

Jelte Jansen jelte at NLnetLabs.nl
Tue Jul 14 11:01:43 UTC 2009


(resend, forgot -to-all when pressing reply)

Jakob Schlyter wrote:
> On 14 jul 2009, at 12.54, Jelte Jansen wrote:
>
>> putting it in zone_config.xml would be most logical (for now i read 
>> it from zonelist.xml, but it's not a hard change).
>
> logical for whom? not from an auditing/security policy perspective. 
> when a given policy is set you also - as part of the policy - specify 
> how it should be audited. so per design, IMHO, that's where the 
> auditing configuration should be.
>
>> But wasn't automatic auditing one of the hard requirements for alpha?
>
> true. I say we do <audit/> in the kasp for now and let that propate 
> into the signconf in cases where the signer is asked to requets an 
> audit. ok?
>

sorry, i'm only talking from the point of view of the engine, so how the
kasp knows whether to put <Audit/> in the config was not considered yet
in my message. So we seem to agree :)





More information about the Opendnssec-develop mailing list