[Opendnssec-user] User input on OpenDNSSEC Auditor deprecation
Carlos M. Martinez
carlos at lacnic.net
Fri Nov 25 13:53:18 UTC 2011
Personally, the auditor was one of the biggest headaches I had when I
started using OpenDNSSEC. In fact, my whole outlook on OpenDNSSEC
changed when I disabled it altogether.
However, I believe it would be nice to have some form of OpenDNSSEC
integrated zone checker. It should not be in the critical path of the
signing process but, as Casper mentions, it should be a tool the admin
can choose to run "out of band" so to speak.
On 11/25/11 10:24 AM, Casper Gielen wrote:
> On 17-11-11 14:39, Jakob Schlyter wrote:
>> Due to the inability to operate together with upcoming Signer Engine features like IXFR, we're considering removing the Auditor from future versions of OpenDNSSEC. Other reasons for this is that we believe that the Auditor has played is part in the OpenDNSSEC development process, it now often introduces more problems for our users than helping and there are now multiple alternative zone checkers available.
>> We now solicit user input on this plan from users activly using the Auditor (as opposed to just using it since it is enabled by default). Please submit your comments to the OpenDNSSEC users list (opendnssec-user at lists.opendnssec.org) no later than December 2nd.
> I can't recall ever having seen a usefull, true positive from the auditor
> so I wouldn't miss it*. In fact, I've recently disabled it all together to
> make the signing process go faster. My environment expects near-instantaneous
> Instead I run the auditor from a nightly cron-job. It complains about a
> decreased SOA serial on every zone but AFAIK that is unavoidable when
> editting zones manually.
> * this is not a critique, it just shows that things work rather well
Carlos M. Martinez
PGP KeyID 0xD51507A2
Phone: +598-2604-2222 ext. 4427
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 168 bytes
Desc: not available
More information about the Opendnssec-user