[Opendnssec-develop] Authoritiative: file vs database
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Sep 27 11:42:06 UTC 2012
On 09/26/2012 05:37 PM, Jakob Schlyter wrote:
> To resolve the issue whether the file or database is authoritative, I propose that we (starting with 2.0) introduce a separate zone list generated by the enforcer and consumed by the signer engine. This would spit the user-to-opendnssec and enforcer-to-signer interface in to two different interfaces and make it clearer what needs to be replicated (for HA), editable by the user and generated by the system itself.
>
> The administrator could still import/export the existing zonelist or modify the enforcer database using the command line tools. At some point later, we can replace the enforcer->signer interface with something more elaborate (socket, shared memory, ...) and remove the temporary files. See attached graphics for a view of this.
>
> Configuration of this new file would be /var/opendnssec/signconf/zonelist.xml (or perhaps a different basename to less the user confusion of having multiple files called zone list.xml).
>
> What say you?
>
> jakob (soon of the the airport)
I made that suggestion last friday to have a zonelist.xml generated by
the enforcer into the signconf dir during the developers meeting, so
yeah: +1.
We can reuse the zonelist.xml syntax, or we can think of a better, more
scalable way to read the zones.
Best regards,
Matthijs
>
>
>
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20120927/bd743a83/attachment.bin>
More information about the Opendnssec-develop
mailing list