[Opendnssec-develop] Authoritiative: file vs database
matthijs at nlnetlabs.nl
Thu Sep 27 11:42:06 UTC 2012
On 09/26/2012 05:37 PM, Jakob Schlyter wrote:
> To resolve the issue whether the file or database is authoritative, I propose that we (starting with 2.0) introduce a separate zone list generated by the enforcer and consumed by the signer engine. This would spit the user-to-opendnssec and enforcer-to-signer interface in to two different interfaces and make it clearer what needs to be replicated (for HA), editable by the user and generated by the system itself.
> The administrator could still import/export the existing zonelist or modify the enforcer database using the command line tools. At some point later, we can replace the enforcer->signer interface with something more elaborate (socket, shared memory, ...) and remove the temporary files. See attached graphics for a view of this.
> Configuration of this new file would be /var/opendnssec/signconf/zonelist.xml (or perhaps a different basename to less the user confusion of having multiple files called zone list.xml).
> What say you?
> jakob (soon of the the airport)
I made that suggestion last friday to have a zonelist.xml generated by
the enforcer into the signconf dir during the developers meeting, so
We can reuse the zonelist.xml syntax, or we can think of a better, more
scalable way to read the zones.
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 551 bytes
Desc: OpenPGP digital signature
More information about the Opendnssec-develop