[Opendnssec-user] Re: Packaging OpenDNSSEC for Debian

Ondřej Surý ondrej at sury.org
Wed Jan 27 12:52:06 UTC 2010

Hi Rick,

On Wed, Jan 27, 2010 at 09:05, Rick van Rein <rick at openfortress.nl> wrote:
> Hello Ondrej,
> You are packaging OpenDNSSEC for Debian, right?
> Just out of curiosity:
> 1) Are you going to use the /etc/alternatives/ framework to select the
>   PKCS #11 implementation, and provide SoftHSM as a suggested
>   implementation package for that?  (I don't know if there is a
>   libpkcs11.so alternative in common use on Debian.)

Nope. It's done via opendnssec configuration. But maybe it's not a bad
idea to talk to OpenSC maintainer about providing
/usr/lib/libpkcs11.so alternative.

> 2) Not everybody wants to run the auditor as part of OpenDNSSEC.  Are you
>   packaging it separately?  If so, the ideal would of course be to have
>   the auditor automatically incorporated into OpenDNSSEC's workflow,
>   but only when it is installed.  Are you finding sufficient facilities
>   to setup such variations as gently as they can be?

OpenDNSSEC will be split into these source packages:

Already done and uploaded:

To be done:
opendnssec-enforcer (opendnssec-enforcerd, libksm-sqlite & libksm-mysql)
opendnssec-signer (opendnssec-signer, opendnssec-(signer)-tools)
meta-opendnssec (opendnssec meta package which install everything)

I am planning to just "Recommend:" opendnssec-auditor.

libhsm will just recommend libsofthsm (since you can have proprietary
libpkcs11.so installed)

There could be some changes as I go through those tools (like
opendnssec-auditor needs to Depend on opendnssec-conf, etc.)

Ondřej Surý <ondrej at sury.org>

More information about the Opendnssec-user mailing list