Re: large domain scaling

From: Murray S. Kucherawy <msk_at_blackops.org>
Date: Wed, 16 Dec 2009 17:43:41 -0800 (PST)

On Wed, 16 Dec 2009, Quanah Gibson-Mount wrote:
> I'm curious if work has been done with OpenDKIM to help sites with a
> large number of domains (10,000+) so that every domain creation does not
> require reloading of the application to load new private keys.
> Preferably, being able to query the domain keys for each domain
> dynamically (from LDAP, for example) would be helpful, so that any time
> a new domain is added, if the key isn't known, it can be fetched.
> Right now, reading the documentation, it appears everything is file
> based, which I think would require reloading the milter every time a
> domain key is added.

At the moment there is no runtime query to a service like LDAP or SQL to
ask for the key to be used for a particular signer. Mostly for legacy
reasons, the keys are loaded once during configuration and stored in
memory so they are available for signing operations. So you're right,
you would need to update the key list and then have the application
re-read its configuration files when adding domains or changing keys.

There's a fairly comprehensive database abstraction layer that could
(really, should) be applied to the domain->key mapping inside the filter.
That module is not LDAP-aware yet, but it could be. Making that
conversion would make it possible to do this sort of thing live, without
having to reload on changes; at a minimum, one could use a Sleepycat DB
or an SQL database to map domains to keys.

Feel free to open up a feature request on SourceForge and we'll look at
getting this into a future release. "When" depends really on finding the
appropriate resources (reference materials and code contribution in the
case of LDAP, development and testing time in any case).

-MSK
Received on Thu Dec 17 2009 - 01:44:02 PST

This archive was generated by hypermail 2.3.0 : Mon Oct 29 2012 - 23:16:46 PST