[Opendnssec-develop] ZoneList revisited
Jelte Jansen
jelte at NLnetLabs.nl
Mon Mar 30 08:36:30 UTC 2009
Jakob Schlyter wrote:
> hi,
>
> I've been thinking about zonelist and how it would be used when you have
> a lot of zones. Based on this I suggest the following changes:
>
> - remove LastUpdate from ZoneList, the signer can simply fstat() the
> right SignerConf to find out when it was last updated.
i already use fstat() for something like that when the engine starts,
but it would save a lot of fstats if i got a hint when to look where :)
(otoh. not having to parse the entire list of zone names is probably a
good thing if only one changes)
> - Move zone-to-policy mapping from KASP to ZoneList/Zone, thus making
> it possible to add zones without changing the policy file.
> - Move adapter configuration from signconf to ZoneList/Zone, the
> enforcer don't really need to know how the zones are fetched.
> - Add signerConfiguration attribute to the ZoneList/Zone to tell the
> signer where to find the SignerConfiguration for a zone.
>
> The result of these changes would be that the signer only needs to be
> fed the ZoneList and all other parameters can be derived from that.
> So we have:
>
> KASP - defines policy. auditable, but free from the actual list of
> zones (one file for all policies).
> ZoneList - defines what zones are to be signed, where the signer can
> find the files and what configuration to use
> SignerConfiguration- signer configuration parameters (one file per zone)
>
So, the zone list is not written by the kasp/enforcer anymore? Who/what
will do it then? (i'm assuming the admin here, (and later) by ways of
ui, but it would mean people typing in xml. blerg. otoh the zones will
have to be told to the system somehow anyway)
The split is nice though, and the reallocations make a lot of sense then.
Jelte
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090330/dc05bd07/attachment.bin>
More information about the Opendnssec-develop
mailing list