[Opendnssec-develop] EnforcerNG
Yuri Schaeffer
yuri at nlnetlabs.nl
Fri Aug 24 10:13:09 UTC 2012
On 08/24/2012 11:44 AM, Jerry Lundström wrote:
> On Aug 24, 2012, at 11:40 , Yuri Schaeffer wrote:
>> No. Much to my regret enf-ng does not enforce zones in parallel.
> Uhm What? :/
>
> Wasn't that a big part of the rewrite?
In my opinion it was, but it has been decided otherwise.
The reason is singular as far as I can tell. Zones could share keys.
Thus creating new keys / deciding to reuse an existing key creates a
race condition for those policies.
I see 3 options:
- locking. only needed for sharedkeys and only once per lifetime (I've
always been in favor for this)
- Do not process zones with such policy parallel to other zones with
same policy.
- No enforcing in parallel. but only handle user i/o, resalting,
generating signconf etc. To prevent locking.
The latter is chosen.
More information about the Opendnssec-develop
mailing list