[Opendnssec-user] User input on OpenDNSSEC Auditor deprecation
antti.ristimaki at csc.fi
Wed Nov 30 05:55:02 UTC 2011
We are using the Auditor and find it a nice-to-have feature but can
certainly live also without it. After all, with the auditor enabled
OpenDNSSEC is more or less auditing itself, so some external checks
independent from ODS should be carried out anyway.
Actually we execute some custom checks (in addition to Auditor) after
the signing process triggered by the NotifyCommand option. Those checks
include verifying that the chain of trust remains intact in case that
the zone's DS record is published in the parent, that no delegation NS
RRsets have been dropped during the signing process etc. Naturally,
should the checks fail, the zone publishing process will be abandoned.
So, as the OpenDNSSEC architecture makes it rather easy to make custom
sanity checks, I think that deprecating the Auditor wouldn't be a big issue.
More information about the Opendnssec-user