Hello Jan Hugo, > There are a few area's where I think that this is important:
Could you add that to the ticket OPENDNSSEC-232 perhaps? https://issues.opendnssec.org/browse/OPENDNSSEC-232 I agree that it is a useful instrument with a wide area of applications. It just hasn't been taken into account when designing the current version of OpenDNSSEC. >> As was stated, you should run views in separate OpenDNSSEC instances, >> unfortunately. One note I'd add to that is that you might be best off with >> a single Enforcer, and multiple signers. That way, you would share the >> keying material and PKCS #11 infrastructure among zones. > In big environments this sounds like a hacky setup. Especially if you have to > distribute this on multiple servers to be able to run multiple signers. I was thinking along those lines too; the Enforcer kicks the Signer, and provides .signconf files with paths inserted. I've asked this on the developer's list, because it is getting into the nitty-gritty. The idea of running one Enforcer, SQL, PKCS #11 and multiple Signers is new AFAIK, so it's worth investigating. Sara is usually keen to hear to hear about (and respond on) this sort of end-user concerns, but she is currently ill. I expect her to respond when she gets better though. Cheers, -Rick_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
