[Opendnssec-user] RE: Enforcer NG alpha-3 snapshot

Sara (Sinodun) sara at sinodun.com
Mon Jun 18 20:34:16 UTC 2012


Hi Paul, 

I'm sorry if this wasn't clear from my earlier email. To recap on the ODS Roadmap:

- The 1.4 release (planned for Q3 2012) is mainly focussed on adding adapters for IXFR and AXFR

- The "Enforcer NG" is a parallel development effort which will form the basis of a future 2.0 release.  It may be more helpful to refer to the Enforcer NG alpha-3 snapshot as 2.0.0a3 since the release of this branch is now being tagged this way. This work involves a complete re-write of the enforcer component of OpenDNSSEC to provide scalability (50,000 zones) and flexibility (multiple rollover types) that isn't possible with the current enforcer architecture. As such it must re-implement all the functionality of the current enforcer and deliver the improvements listed. So the key pre-generation isn't new - it is just the 2.0 development playing catch up.

And, yes - this means we have two different future releases both offering alpha versions at the same time, but clearly the 2.0 release will need to undergo extensive regression testing to make sure it can do everything the current enforcer can (and more). Any users willing to get involved in this testing early are welcomed with open arms. 

Hope this helps.

Sara.

On 18 Jun 2012, at 18:11, Paul Wouters wrote:

> On Mon, 18 Jun 2012, Sara Dickinson wrote:
> 
> Hi Sara,
> 
>> The major changes over the alpha-2 snapshot are the implementation of both MySQL and SQLite database backends and support for pre-generation of keys on the HSM. For details see: http://svn.opendnssec.org/tags/OpenDNSSEC-2.0.0a3/NEWS
> 
> What do you mean with "Enforcer: Pre-generate keys on the HSM"?
> 
> I was already pre-generating keys with an HSM, though experienced that
> multiple opendnssec instances with multiple HSMs did not pick the same
> key order when rolling the ZSK.
> 
> The man page for ods-ksmutil already states:
> 
> 	"If configured to, OpenDNSSEC will automatically create keys when
> 	the  need  arises.  This command can be used to pregenerate keys
> 	(maybe for the expected lifetime of an HSM)"
> 
> So I am a little confused what this new option does.
> 
> Regards,
> 
> Paul




More information about the Opendnssec-user mailing list