[Opendnssec-develop] Multiple views with current OpenDNSSEC (well, almost)

Jerry Lundström jerry at opendnssec.org
Mon Oct 7 09:18:40 UTC 2013


On Oct 7, 2013, at 10:59 , Rick van Rein (OpenFortress) wrote:

>> It would be a lot better and more stable to add support for views correctly into the Enforcer and Signer and it might not even be a big job. Basically it has to do with the internal design of how zones and processed, the zone name is the unique key identifying a zone and what needs to be done is to add a view identifier that is included into the unique key for the zone (unless I missing something). This will enable Enforcer and Signer to have different paths, configurations, input and output for the same zone but for different views.
> That's what I'm saying indeed :-) -- except that I'd propose to not make the Enforcer aware of the split.

I can't see how this will work without the Enforcer knowing about the view. The Enforcer generates the signconf today and if the Enforcer does not know about the different paths for the views how can it tell the Signer to load different zone data?

There is also the issue about different keys for the views, are we absolutely sure that it will never be needed?

I would rather have a design that has the option available (maybe not support at the first go).


Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 625 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20131007/55d984b9/attachment.bin>

More information about the Opendnssec-develop mailing list