[Opendnssec-develop] Meeting agenda 20090602

John Dickinson jad at jadickinson.co.uk
Tue Jun 2 11:45:12 UTC 2009


On 1 Jun 2009, at 17:14, Stephen.Morris at nominet.org.uk wrote:

> "Rickard Bondesson" <rickard.bondesson at iis.se> wrote on 01/06/2009
> 09:34:47:
>
>> Hi
>>
>> Next meeting
>> Date: Tuesday 2 June
>> Time: 14:00-15:00 CEST
>>
>> Please add more topics on the wiki if you have any:
>>
>> http://www.opendnssec.se/wiki/Meetings/Agenda/2009-06-02
>>
>> // Rickard
>
> Some things we should raise in the topic "What functionality are we
> missing?":
>
> 1. A "Watchdog" process that checks that everything is running.
> This is something that should be running from the time the system is
> booted.  If any process is missing, it logs an emergency message.  Is
> something like this needed?
>
> 2. Emergency messages
> This leads on the from the last one.  Some messages should be  
> immediately
> notified to the operator (e.g. the Kasp Auditor notifying the operator
> that the signed zone file has failed one or more tests). How do we do
> this?  Although some sites will use programs like Nagios and do  
> their own
> monitoring, others may want a system that comes "out of the box".  The
> easiest way seems to be some form of email notification - should we  
> supply
> the framework? (e.g.
> http://www.johnandcailin.com/blog/john/how-setup-real-time-email-notification-critical-syslog-events
> )


A couple of thoughts in case they go out of my head at the meeting - I  
really do not think that we should do either of these. These are basic  
operational problems that operators should already have sorted. BIND  
and NSD don't feel the need to do this so why do we? The signer is no  
more important than the name server.

Watchdog processes already exist some even form part of improved rc.d  
systems like Solaris has. Also, you can always run the daemons in the  
foreground and restart it in a loop. (See Appendix D of http://ftp.isc.org/isc/pubs/tn/isc-tn-2004-1.txt)

An email in someone's inbox is of no more use than a error message in  
a log file when it comes to actually informing a real person about an  
issue.

As long as we use standard logging -> syslog. Then that should be  
sufficient.

If we really want OpenDNSSEC to be proactive in sending alerts then I  
suggest we request a private enterprise number and send snmp traps.  
However, having written a mib once before for this kind of thing it is  
not something I would enjoy doing again :)

John
---
John Dickinson
http://www.jadickinson.co.uk

I am riding from Lands end to John O'Groats to raise money for  
Parkinson's Disease Research. Please sponsor me here http://justgiving.com/pedalforparkinsons2009







More information about the Opendnssec-develop mailing list