[Opendnssec-develop] Authoritiative: file vs database

Roland van Rijswijk - Deij Roland.vanRijswijk at surfnet.nl
Wed Sep 26 17:21:40 UTC 2012

Hi Jakob,

On 26 sep. 2012, at 17:37, Jakob Schlyter <jakob at kirei.se> wrote:

> To resolve the issue whether the file or database is authoritative, I propose that we (starting with 2.0) introduce a separate zone list generated by the enforcer and consumed by the signer engine. This would spit the user-to-opendnssec and enforcer-to-signer interface in to two different interfaces and make it clearer what needs to be replicated (for HA), editable by the user and generated by the system itself.
> The administrator could still import/export the existing zonelist or modify the enforcer database using the command line tools. At some point later, we can replace the enforcer->signer interface with something more elaborate (socket, shared memory, ...) and remove the temporary files. See attached graphics for a view of this.
> Configuration of this new file would be /var/opendnssec/signconf/zonelist.xml (or perhaps a different basename to less the user confusion of having multiple files called zone list.xml).
> What say you?

Excellent idea says I ;-)




-- Roland M. van Rijswijk - Deij
-- SURFnet bv
-- w: http://www.surfnet.nl/en/
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl

More information about the Opendnssec-develop mailing list