[Opendnssec-user] Database support for OpenDNSSEC

Simon Mittelberger mittelberger at united-domains.de
Wed Nov 17 08:42:00 UTC 2010


Am Dienstag, den 16.11.2010, 08:59 +0100 schrieb Rickard Bellgrim: 
> On 15 nov 2010, at 22.28, Robert Martin-Legene wrote:
> 
> > If the enforcer is supposed to compare the signed and the unsigned
> > tables, don't forget that you need some way to ensure that the unsigned
> > doesn't change in the period that passes between the signing and the
> > enforcer starts, or the enforcer will fail.
> 
> s/enforcer/auditor/g
> 
> I think that is why the auditor is disabled by Simon. But it is a thing we have to keep in mind. How the auditor should be able to audit the process.

Thanks for your thoughts. You are right this will be important.

Would the following solution be adequate?
- when reading the zone from the table, write it to a file (internal).
- when signing has completed, the auditor can check against this file.

The thing is: if tables get locked, the nice feature of instant edit of
the records is gone (please correct me if I'm wrong).

Another possibility: create another table in the database for the
auditor and save the records there before signing.

The third option: throw away the mysql adapter idea and just hack the
file adapter. Pull the data from mysql before reading the file and push
it to mysql when writing the file. (this is probably the ugliest one)

What would you recommend?


Kind regards,
Simon




More information about the Opendnssec-user mailing list