[Opendnssec-develop] Reloading zonelists into the signer engine

Rick van Rein rick at openfortress.nl
Wed Jul 28 09:00:59 UTC 2010

Hello Sion/Matthijs,

> Is the use case adding new zones?

Yes, or a mixture with removing zones.  We generate zonelists and then
update KASP accordingly.  When we add zones, we find that they do not
end up in OpenDNSSEC easily, not even when we suggest having backed
up keys.

> If it is then after adding the zone with ksmutil you _need_ the enforcer to
> run to allocate keys to the new zone.

Yes, we found that there is no pool of standby keys yet.  We let it do
that and then issue "backup done".

> Assuming that the enforcer has no problems doing this it will ask the signer
> to look at the new zone, after creating a new signconf.

So, what you are saying is that the problem lies solely in the
communication between the signer and the zone_fetcher?  But
that the enforcer already invokes "ods-signer update"?

> If the use case is removing zones then ksmutil already calls the signer to say 
> that the zonelist has changed.

Also through "ods-signer update" I presume?

> Or have I misunderstood the request?

It's quite possible that I've misunderstood the link between KASP and
Signer.  If my questionmarked understanding from your words is right,
I need only look at the signer/zone_fetcher communication.


More information about the Opendnssec-develop mailing list