[Opendnssec-user] Database support for OpenDNSSEC

Robert Martin-Legene robert at dk-hostmaster.dk
Mon Nov 15 21:28:16 UTC 2010


Hello Simon.

This is really an interesting idea. I think many can use it.

If the enforcer is supposed to compare the signed and the unsigned
tables, don't forget that you need some way to ensure that the unsigned
doesn't change in the period that passes between the signing and the
enforcer starts, or the enforcer will fail.

For TLD's where changes occur often, this could easily become a problem.
In your case, I don't know if you can somehow lock the table and block
the user from performing updates while you're signing... or maybe just
not consider it an issue because "zones are always small".

Kind regards,

  Robert

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20101115/4b7437b5/attachment.bin>


More information about the Opendnssec-user mailing list