[Opendnssec-develop] Feature proposal: Stop Enforcer action on given zone

Rick van Rein rick at openfortress.nl
Thu May 10 22:49:46 UTC 2012


Hello,

Over the past few years, I've seen OpenDNSSEC lock up in curious ways -- not in
the last place because I tend to treat software harshly while testing, in a hope
to learn about its behaviour in exceptional cases, and help the project forward.

When trying to wheeze out of tight spots, the approach usually comes down to
shutting down the Enforcer and acting directly upon the Signer.  The reason is
always the same -- spontaneous actions by the Enforcer are disruptive to testing
and recovery procedures, especially because they complicate those actions.

Still, while doing this is a Good Idea (tm) for challenged zones, it may at the
same time disrupt the proper functioning of other zones, notably on adding and
removing them, or rolling their keys within a time slot that is tight for
whatever reason.  The solution is simple and probably very usable to the admin:
An ability to block the progress of the Enforcer completely on a given zone.
That very specifically includes blocks on writing out SignConf files and
working on the keys in the HSM (need to think through ShareKeys policies
though).

If all of y'all agree that this is useful, I suppose this could be turned
into a feature request.  It's just my bilateral tuppence.


Cheers,
 -Rick



More information about the Opendnssec-develop mailing list