[Opendnssec-develop] Enforcer changes
rickard.bellgrim at iis.se
Tue May 11 14:22:51 UTC 2010
On 11 maj 2010, at 15.39, Sion Lloyd wrote:
I'm looking at what I need to do to the enforcer and I'm going to suggest that I sort out key sharing before I restructure the code to try to improve speed.
This is the opposite way to pivotal but I think that it is more logical as the changes to fix key sharing will have an impact on the redesign.
The main goal is to get key sharing and handling of many zones working. Maybe we can throw some stuff out from Pivotal and write new stuff for the Enforcer once we have set our mind on what to do.
Basically I will move all the timings into the dnsseckeys table from the keypairs table and shake until it works. Then I can look at indexing tables etc... Note that this means v1.2 will need a different database structure and so will not be backwards compatible, does that seem reasonable to everyone?
As long as we can get a migration script.
One question, should we be able to mark an instance of a key in a zone as compromised without marking other uses of that key? I think that marking one should mark them all (this changes which table the "compromisedflag" column goes in).
If a shared key is compromised, then it is comprised for all of the zones sharing this key.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-develop