[Opendnssec-develop] OpenDNSSEC 1.4 and the auditor

Jakob Schlyter jakob at kirei.se
Tue Nov 8 12:54:48 UTC 2011

On 8 nov 2011, at 13:40, Matthijs Mekking wrote:

> My first suggestion was an optional element in conf.xml
> 	<Auditor>/path_to_auditor/binary -z %zone ...</Auditor</Auditor>
> which will be called by the signer instead of the current auditor. We'll
> have to make sure there are substitutes possible for zone name, config
> file, working directory, unsigned file, signed file. This will differ
> for DNS Adapters (compared to File Adapters). Perhaps an Auditor API is
> needed?

I think the above would be enough. If that command exists and returns non-zero, reject the zone.

> By the way, 1.3 still has the auditor enabled by default.

I don't have a problem with that, we can remove it 1.4 anyway.


Jakob Schlyter
Kirei AB - http://www.kirei.se/

More information about the Opendnssec-develop mailing list