[Opendnssec-develop] Authoritiative: file vs database

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Sep 27 11:42:06 UTC 2012

On 09/26/2012 05:37 PM, Jakob Schlyter wrote:
> To resolve the issue whether the file or database is authoritative, I propose that we (starting with 2.0) introduce a separate zone list generated by the enforcer and consumed by the signer engine. This would spit the user-to-opendnssec and enforcer-to-signer interface in to two different interfaces and make it clearer what needs to be replicated (for HA), editable by the user and generated by the system itself.
> The administrator could still import/export the existing zonelist or modify the enforcer database using the command line tools. At some point later, we can replace the enforcer->signer interface with something more elaborate (socket, shared memory, ...) and remove the temporary files. See attached graphics for a view of this.
> Configuration of this new file would be /var/opendnssec/signconf/zonelist.xml (or perhaps a different basename to less the user confusion of having multiple files called zone list.xml).
> What say you?
> 	jakob (soon of the the airport)

I made that suggestion last friday to have a zonelist.xml generated by
the enforcer into the signconf dir during the developers meeting, so
yeah: +1.

We can reuse the zonelist.xml syntax, or we can think of a better, more
scalable way to read the zones.

Best regards,

> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20120927/bd743a83/attachment.bin>

More information about the Opendnssec-develop mailing list