[Opendnssec-develop] Optimization of the sorter

Matthijs Mekking matthijs at NLnetLabs.nl
Tue Jan 12 11:49:27 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Rickard Bellgrim wrote:
> How was the information flowing now again?
>  
> Unsigned zone -> sorter -> zone.sorted
> (Sort the zone canonically)

Yes.

> zone.sorted -> zone_reader -> zone.processed
> (Sort the zone according to the relevant signing details (either in
> 'normal' or 'NSEC3' space) and add DNSKEYS)

Yes.

> zone.processed -> nseccer/nsec3er -> zone.nsecced
> (strips the glue from it, and adds nsec(3) records)

Yes.

> zone.nsecced + zone.signed -> signer -> zone.signed2 -> zone.signed
> ((re)signs the zone)

Yes.

> zone.signed -> finalizer -> zone.finalized
> (Uncomment the glue etc.)

Yes.

> zone.finalized -> (Auditor) -> Signed zone
> (Output the signed zone)

Yes.

>  
> And if the sorting config has changed, then do this first:
> zone.signed -> sorter -> zone.signed.sorted
> zone.signed.sorted -> zone_reader -> zone.signed.processed -> zone.signed

If certain parameters in the config have been changed, different
processing might be needed. Sometimes the zone is rescheduled to reNSEC,
sometimes to re-sort, sometimes just re-signing is needed.

> The sorter is now also flattening the zone file. Couldn't this only be
> done for the unsigned zone and not the internal zone. Because we could
> assume that the internal zone storage is ok (when sorting the zone.signed)?

Yes, we could skip flattening by setting another command line option.

> What is the difference between the sorting in sorter and nseccer? Or is
> it just that the zone is only sorted a second time if you are using nsec3er?

nseccer does not sort. zone_reader does a different sorting if NSEC3 is
used.


Best regards,

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLTGHGAAoJEA8yVCPsQCW5XN0IAKzU47ywh5RExRLuAF6X3BII
m3mv3VFAmS+kqkE0GIYztXeqlknIBYXW9tUsKiRLLLfgcW4RHUkRZs44dmenjI2K
/EkgByZ6WXuY1KWMOnYsIPNKQ0HOGTmhNbsoLC2I2zbqN9ngu110JgXzS593RK7B
LixG4eCEuaf1hPmYVUUAkLk9L/xujK7TUJi2QnJ3FO2OyMoLQsihA6N5cJgyjjyK
9WV7Dzw7AdhKc3/FMSibH7U7b2/CuJ3vDjlL02bx3e6lySUYgo7W7DAqC8u00fUs
MCA0/4IwNWZTJoVDq1oj/7BC2M9K9mbHM/UAoJHG33JztsXp5iZyOpdP2WuwF14=
=yXTc
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list