[Opendnssec-develop] EnforcerNG

Yuri Schaeffer yuri at nlnetlabs.nl
Fri Aug 24 10:13:09 UTC 2012

On 08/24/2012 11:44 AM, Jerry Lundström wrote:
> On Aug 24, 2012, at 11:40 , Yuri Schaeffer wrote:
>> No. Much to my regret enf-ng does not enforce zones in parallel.

> Uhm What? :/
> Wasn't that a big part of the rewrite?

In my opinion it was, but it has been decided otherwise.

The reason is singular as far as I can tell. Zones could share keys.
Thus creating new keys / deciding to reuse an existing key creates a
race condition for those policies.

I see 3 options:
 - locking. only needed for sharedkeys and only once per lifetime (I've
always been in favor for this)
 - Do not process zones with such policy parallel to other zones with
same policy.
 - No enforcing in parallel. but only handle user i/o, resalting,
generating signconf etc. To prevent locking.

The latter is chosen.

More information about the Opendnssec-develop mailing list