[Opendnssec-user] Can't disable the auditor

sion at nominet.org.uk sion at nominet.org.uk
Fri Mar 19 12:11:41 UTC 2010

> Related to my problem with the auditor in the "Auditor failing to
> verify signatures which appear to be ok" thread I want to disable
> auditing for the policy used by the zones which are having problems.
> I did
> # ods-control stop
> edited kasp.xml and completely removed the <Audit/> tag from the policy
> # ods-control ksm update all
> # ods-control start
> The auditor still runs for that policy.
> Any clue as to what I'm doing wrong?

Probably nothing...

There are 2 possibilities.

1) The signconf file has not been rewritten by the enforcer when the signer
first runs. Because of the order in which the processes are started the
signer will often run on the signconf left from the previous run.

2) We have just found a bug in the enforcer which you may be hitting.

If you have multiple policies defined in kasp.xml can you make sure that
the policy without the audit tag is the last one in the file?



More information about the Opendnssec-user mailing list