[Opendnssec-develop] Authoritiative: file vs database

Jakob Schlyter jakob at kirei.se
Wed Sep 26 15:37:35 UTC 2012

To resolve the issue whether the file or database is authoritative, I propose that we (starting with 2.0) introduce a separate zone list generated by the enforcer and consumed by the signer engine. This would spit the user-to-opendnssec and enforcer-to-signer interface in to two different interfaces and make it clearer what needs to be replicated (for HA), editable by the user and generated by the system itself.

The administrator could still import/export the existing zonelist or modify the enforcer database using the command line tools. At some point later, we can replace the enforcer->signer interface with something more elaborate (socket, shared memory, ...) and remove the temporary files. See attached graphics for a view of this.

Configuration of this new file would be /var/opendnssec/signconf/zonelist.xml (or perhaps a different basename to less the user confusion of having multiple files called zone list.xml).

What say you?

	jakob (soon of the the airport)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PastedGraphic-1.pdf
Type: application/pdf
Size: 81136 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20120926/7e6e8d46/attachment.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3650 bytes
Desc: not available
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20120926/7e6e8d46/attachment.bin>

More information about the Opendnssec-develop mailing list