[Opendnssec-user] User input on OpenDNSSEC Auditor deprecation

Antti Ristimäki antti.ristimaki at csc.fi
Wed Nov 30 05:55:02 UTC 2011


We are using the Auditor and find it a nice-to-have feature but can 
certainly live also without it. After all, with the auditor enabled 
OpenDNSSEC is more or less auditing itself, so some external checks 
independent from ODS should be carried out anyway.

Actually we execute some custom checks (in addition to Auditor) after 
the signing process triggered by the NotifyCommand option. Those checks 
include verifying that the chain of trust remains intact in case that 
the zone's DS record is published in the parent, that no delegation NS 
RRsets have been dropped during the signing process etc. Naturally, 
should the checks fail, the zone publishing process will be abandoned.

So, as the OpenDNSSEC architecture makes it rather easy to make custom 
sanity checks, I think that deprecating the Auditor wouldn't be a big issue.



More information about the Opendnssec-user mailing list