[Opendnssec-develop] Feature proposal: Stop Enforcer action on given zone

Siôn Lloyd sion at nominet.org.uk
Fri May 11 08:05:49 UTC 2012


On 11/05/12 08:43, Jerry Lundström wrote:
> Hi Rick,
>
> Interesting proposal...
>
> On Fri, May 11, 2012 at 12:49 AM, Rick van Rein <rick at openfortress.nl> wrote:
>> When trying to wheeze out of tight spots, the approach usually comes down to
>> shutting down the Enforcer and acting directly upon the Signer.  The reason is
>> always the same -- spontaneous actions by the Enforcer are disruptive to testing
>> and recovery procedures, especially because they complicate those actions.
> Could you give us some examples/scenarios here?
>
> To me it sounds like a miss in the procedure if you leave the Enforcer running.
>

So you are proposing something along the lines of "ksmutil zone freeze
-z <ZONE>" which stops the enforcer from changing keys?

This should be okay, you may see some extra complaints when you
unfreeze, say if a key has been in use long past its retirement date.

There may be questions on whether we need to reset any timers also, for
instance would we believe that a key has been published for 5 days if
the zone was frozen for most of that time?

Sion



More information about the Opendnssec-develop mailing list