[Opendnssec-user] Database support for OpenDNSSEC

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Nov 17 09:21:55 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Simon,

Thanks for the patch. It shows that the core of the signer engine can
work, regardless how the zone is fed.

On 11/17/2010 09:42 AM, Simon Mittelberger wrote:
> Am Dienstag, den 16.11.2010, 08:59 +0100 schrieb Rickard Bellgrim: 
>> On 15 nov 2010, at 22.28, Robert Martin-Legene wrote:
>>
>>> If the enforcer is supposed to compare the signed and the unsigned
>>> tables, don't forget that you need some way to ensure that the unsigned
>>> doesn't change in the period that passes between the signing and the
>>> enforcer starts, or the enforcer will fail.
>>
>> s/enforcer/auditor/g
>>
>> I think that is why the auditor is disabled by Simon. But it is a thing we have to keep in mind. How the auditor should be able to audit the process.
> 
> Thanks for your thoughts. You are right this will be important.
> 
> Would the following solution be adequate?
> - when reading the zone from the table, write it to a file (internal).
> - when signing has completed, the auditor can check against this file.

Currently, the auditor is already provided with internal files. The
signer working directories makes a copy to .unsorted and a signed copy
to .finalized before writing the zone and the auditor will make his
checks against these files. So, I don't see why it should be different
with mySQL adapters.

Best regards,

Matthijs

> 
> The thing is: if tables get locked, the nice feature of instant edit of
> the records is gone (please correct me if I'm wrong).
> 
> Another possibility: create another table in the database for the
> auditor and save the records there before signing.
> 
> The third option: throw away the mysql adapter idea and just hack the
> file adapter. Pull the data from mysql before reading the file and push
> it to mysql when writing the file. (this is probably the ugliest one)
> 
> What would you recommend?
> 
> 
> Kind regards,
> Simon
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJM456zAAoJEA8yVCPsQCW5fC0H/02DS0KcOL2bn3ynxV207tyt
yv7C+R1VncsFR7OaX4khhEHVDgWHQs41USFBEQluVZJleE2jGeCA7gU1tC1RKkXC
tbhXlP8+rm7izsi3DosiYzCGC1moFzELAippY6b9c4g1rVtFafsWItcx5FTo1kgo
dDpccRxB3Bd8RVcuG/Shv6bYNiic/kJ9PloTgIRixXZ8UEbqHVOelF/YHbfiL8UU
2wD2xq5b8voA4L11XY94exznFBCuVLVAjVHWW5Spim3WgnNTyRsnvvCclZ98RwSn
8i03VrPFsnYho+GDRcHll+gl7SPjrMCOmYqVhfR4tlL8irpDyEx3UsPPogBbxn8=
=3uRw
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list