[Opendnssec-user] Enforcerd and signerd decoupling
Petr Spacek
pspacek at redhat.com
Tue Mar 11 09:05:47 UTC 2014
On 10.3.2014 14:59, Matthijs Mekking wrote:
> Hi Antti,
>
> I agree with you. When we started with OpenDNSSEC we decided it was a good
> design to split the key management functionality and the signer functionality
> in two daemons, as it are two very separate tasks. And it has its benefits
> (code simplicity, flexibility (only use enforcer or signer, ...)
>
> However, now that the project exists some longer time, we also identified some
> quirks, your example being one of them, and the split is not as strict as we
> once thought. We could solve this in multiple ways:
>
> 1. More communication between enforcer and signer, signer could signal events
> that have happened. We would lose flexibility, as we tie signer and enforcer
> together.
>
> 2. One daemon to rule them all. Might be more simpler than adding all kinds of
> communications, operational wise too.
>
> 3. Scripts that check an event has happened, instead of relying on time only.
> This has the advantage signer and daemon can still be ran separately and you
> can mix enforcer with a different signer for example.
Let me add that we rely on the ability to use enforcer separately without
signer (as it was described in thread "distributed OpenDNSSEC").
We will be very unhappy if this ability should be lost ...
Personally, I think that variant (3) with "hooks" for events is the right
approach. In theory, we could write some functionality in this area if we
decide to implement other features described in thread "distributed OpenDNSSEC".
Have a nice day!
--
Petr Spacek @ Red Hat
More information about the Opendnssec-user
mailing list