[Opendnssec-develop] Auditor support

Matthijs Mekking matthijs at NLnetLabs.nl
Fri Feb 4 08:46:37 UTC 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

If it means reading a zone from a different source (like DB or AXFR,
instead of file), I don't think the auditor needs much adaptations (if
any at all). The signer makes copies of the unsigned and signed zone in
file format, that it can directly feed to the auditor.

IXFR is quite a different story.

Best regards,

Matthijs

On 02/03/2011 05:19 PM, Alex Dalitz wrote:
>> But I am curious of how you see the auditor and future development work. Are you willing to having it adapted to the new adapter functionality? And is it possible, without too much work?
> 
> To be honest, I'm not entirely clear what the "new adapter functionality" actually means. If it means IXFR, and reading zone updates from a DB, then I'm not sure how much value the auditor can usefully add (other than checking individual RRSIGs, which are pretty much working correctly now). Key lifetime tracking can still be performed - but, IMHO, it would be better done by a monitor process watching the (possibly private) nameserver (as we have for .uk), rather than an in-line auditor process.
> 
> If folks disagree, I'd be quite happy to write a new, stripped-down auditor which only did key lifetime and RRSIG checking. Again, I wouldn't see this as being the default installation option.
> 
> Thanks,
> 
> 
> Alex._______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJNS7ztAAoJEA8yVCPsQCW5gZgH/2U3UyAtvHgNKfdx4CTpRO2y
gH2TbHQFAQEwH+phjreX4M4vjQoD9/EGptoH4dmymKsL2kKF+VWpLSx375qzwvQi
RSnoo8eVQY8VAyl7deIJ/Gy8j7OLaiSRz3MVE3YVVGQY6JI6e3rDFWQBxuZibtNl
KTriMTPzTWj1Io8/aWk0FL7MxRxtm7QChGe/9EM8HpaE+loNauJGcXBailg69OpF
MwUgCSbtbKRP/b94+CCWWTw9I6fLUdAO4ABqvr5WVWguw7vyTchPyblrhESulB4l
W5xoRy2lWz9euljctNFzyjQoLpgY8/qOhKwQGocH8GGv15iHbhKkUBDLJ1JtuR8=
=tP2t
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list