[Opendnssec-develop] Feature proposal: Stop Enforcer action on given zone

Rick van Rein rick at openfortress.nl
Fri May 11 08:18:49 UTC 2012


Hello,

> Interesting proposal...

It's a personal itch... and I'm sure more experienced the same.

> Could you give us some examples/scenarios here?

Sure, here's a mistake that I made (thanks go to Roland for helping to
debunk it):

I imported ZKT keys into OpenDNSSEC last month, and did not pay enough
attention to the destination policy's different keys.  (Yes, I will add
a note to the HOWTO that I wrote.)  So now the zone is trying to roll
to RSASHA256 keys where I used RSASHA1 before.  The system is not stopping
me from doing this, but Unbound is killing the subjected domains.

The first step is a quickfix -- getting the domain back up by editing
the .signconf manually.  This is only reliable while ods-enforcer is
stopped.  I didn't have time to really fix the solution immediately;
moreover, I tend to want to think about the best way a bit.

At the same time, I was rolling out a new ENUM domain for a customer,
and needed to roll it through OpenDNSSEC.  This required an active
Enforcer.

As you can tell, I'm forever experimenting.  Downtime is an occupational
hazard, but I think it is useful because it can support other users who
end up in trouble just as well.

> To me it sounds like a miss in the procedure if you leave the Enforcer running.

Yes, from the perspective of the zone being recovered.  But not from the
perspective of that new domain being added.  It could be useful to be able
to switch the Enforcer on or off for those separately.  At least, that is
what I learnt from this.


Cheers,
 -Rick



More information about the Opendnssec-develop mailing list