[Opendnssec-develop] Multiple views with current OpenDNSSEC (well, almost)
jerry at opendnssec.org
Mon Oct 7 08:47:59 UTC 2013
On Oct 7, 2013, at 08:39 , Rick van Rein (OpenFortress) wrote:
>>> Or am I forgetting anything here?
>> You also have to sync events such as ds-seen, but other than that I think what you propose might work.
> Thsnks for confirming that!
Let's not rush ahead now.
> Do you and others see this split-Signer approach as a way that we could officialise, and integrate into OpenDNSSEC? The reason to put off my previous, split-Enforcer based approach was, if I recall correctly, the difficulty of getting it into, notably, the Enforcer.
A split-Signer approach is, in my view, wrong. It will add unnecessary operational complexity and feels more like a workaround then a solid solution. The discussion so far has been 2 views, one internal and one external, but what if you want 20 views? Should there be 20 Signers running just because one zone has 20 views, this does not hold up in the long run.
It would be a lot better and more stable to add support for views correctly into the Enforcer and Signer and it might not even be a big job. Basically it has to do with the internal design of how zones and processed, the zone name is the unique key identifying a zone and what needs to be done is to add a view identifier that is included into the unique key for the zone (unless I missing something). This will enable Enforcer and Signer to have different paths, configurations, input and output for the same zone but for different views.
Please also have in mind that even if this may not be much work we really need to focus on releasing 2.0 (that is dragging a few years) so this might be something to consider for 2.2 .
Jerry Lundström - OpenDNSSEC Developer
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 625 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Opendnssec-develop