[Opendnssec-develop] Optimization of the sorter
matthijs at NLnetLabs.nl
Tue Jan 12 12:49:27 CET 2010
-----BEGIN PGP SIGNED MESSAGE-----
Rickard Bellgrim wrote:
> How was the information flowing now again?
> Unsigned zone -> sorter -> zone.sorted
> (Sort the zone canonically)
> zone.sorted -> zone_reader -> zone.processed
> (Sort the zone according to the relevant signing details (either in
> 'normal' or 'NSEC3' space) and add DNSKEYS)
> zone.processed -> nseccer/nsec3er -> zone.nsecced
> (strips the glue from it, and adds nsec(3) records)
> zone.nsecced + zone.signed -> signer -> zone.signed2 -> zone.signed
> ((re)signs the zone)
> zone.signed -> finalizer -> zone.finalized
> (Uncomment the glue etc.)
> zone.finalized -> (Auditor) -> Signed zone
> (Output the signed zone)
> And if the sorting config has changed, then do this first:
> zone.signed -> sorter -> zone.signed.sorted
> zone.signed.sorted -> zone_reader -> zone.signed.processed -> zone.signed
If certain parameters in the config have been changed, different
processing might be needed. Sometimes the zone is rescheduled to reNSEC,
sometimes to re-sort, sometimes just re-signing is needed.
> The sorter is now also flattening the zone file. Couldn't this only be
> done for the unsigned zone and not the internal zone. Because we could
> assume that the internal zone storage is ok (when sorting the zone.signed)?
Yes, we could skip flattening by setting another command line option.
> What is the difference between the sorting in sorter and nseccer? Or is
> it just that the zone is only sorted a second time if you are using nsec3er?
nseccer does not sort. zone_reader does a different sorting if NSEC3 is
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop