[Opendnssec-develop] Multiple views with current OpenDNSSEC (well, almost)

Rick van Rein (OpenFortress) rick at openfortress.nl
Thu Oct 3 09:16:54 UTC 2013

Hi all,

The issue of multiple views came up again on the user list.  While thinking about it, I realised it could be done in a relatively simple manner, without (or hardly without) burden to the Enforcer.

The thing is, if you share most of the infrastructure (Enforcer, database and HSM) between the views, then all that changes is the Signer.  It would be possible to run multiple signers, each handling a name.  They would be sharing the keying material, which is a great simplification relative to the split-key models of comlpetely independent ODS setups.

The only things that would need to change are interface issues:
 - the Enforcer should be kicking >1 Signers
 - the SignConf files must be rewritten with path names that match the views' inputs and outputs
Or am I forgetting anything here?

This function could perhaps be performed by an intermediate which splits the signer, splitting the signconf & kick interface between Enforcer and Signer.  This might be integrated with the Signer itself, which would fork itself with various configurations; or, it could be aware of multiple views as different paths to input/output files; it could list (zone,view) combinations in the queue, or it could iterate over all views (input/output paths) of a zone when handling a zone.

So, questions:

* Would it be problematic to the Enforcer to generate _relative_ paths to Input / Output files for zones?
* Would it be problematic to the Signer to prefix a per-view directory in front of the signconf'd Input / Output files?
* Would it be difficult to have multiple zones with different dirname+relpath locations for their files in the same queue?

I hope this is useful :)


More information about the Opendnssec-develop mailing list