[Opendnssec-develop] Multiple views with current OpenDNSSEC (well, almost)
Rick van Rein (OpenFortress)
rick at openfortress.nl
Mon Oct 7 08:59:11 UTC 2013
> A split-Signer approach is, in my view, wrong. It will add unnecessary operational complexity and feels more like a workaround then a solid solution. The discussion so far has been 2 views, one internal and one external, but what if you want 20 views? Should there be 20 Signers running just because one zone has 20 views, this does not hold up in the long run.
Agreed. The split I propose is a conceptual one, and not the best possible implementation. Even if I use the lingo of an implementation to sketch the practicality.
What I wanted to point out with this split-signer approach is that it could make sense to have an Enforcer reign over the keys that are shared among the views. Such shared key management greatly simplifies the child / parent transition when the child has views and the parent does not, or maybe has different views. This is a conceptual simplification, not merely a simplification of the implementation.
> It would be a lot better and more stable to add support for views correctly into the Enforcer and Signer and it might not even be a big job. Basically it has to do with the internal design of how zones and processed, the zone name is the unique key identifying a zone and what needs to be done is to add a view identifier that is included into the unique key for the zone (unless I missing something). This will enable Enforcer and Signer to have different paths, configurations, input and output for the same zone but for different views.
That's what I'm saying indeed :-) -- except that I'd propose to not make the Enforcer aware of the split.
I've posted a question to Matthijs with precisely what you are describing here, asking him if it seems feasible to him. Then there'd be one Signer process with a queue that holds (zone,view) identified jobs.
> Please also have in mind that even if this may not be much work we really need to focus on releasing 2.0 (that is dragging a few years) so this might be something to consider for 2.2 .
My goal is to get this on the road map. I think it is missing from OpenDNSSEC and we should set it as a goal. I asked Sara to put it up on tomorrow's meeting.
More information about the Opendnssec-develop