[Opendnssec-develop] Policy configuration checker

Antoin Verschuren Antoin.Verschuren at sidn.nl
Tue Aug 18 10:46:10 UTC 2009


Do you mean to say here that a zone with very static data never needs to be resigned, like f.e. a key rollover ?
I think a static zone needs regular resigning as well, and there are simply 3 situations:
-Zone changes occur faster than resigning, and faster than publishing
-Zone changes occur faster than resigning, but slower than publishing
-Resigning occurs faster than zone changes

There are situations where changes to a zone are accepted, but not resigned because it's not publishing time yet.
I think that's the parameter to play with. Signing only needs to be done when it's publishing time, or when a rollover is sceduled.

Antoin Verschuren

Technical Advisor
Policy & Business Development
SIDN
Utrechtseweg 310
PO Box 5022
6802 EA Arnhem
The Netherlands

T +31 26 3525510
F +31 26 3525505
M +31 6 23368970
E antoin.verschuren at sidn.nl
W http://www.sidn.nl/




-----Oorspronkelijk bericht-----
Van: opendnssec-develop-bounces at lists.opendnssec.org namens Rickard Bondesson
Verzonden: di 2009-08-11 15:33
Aan: Matthijs Mekking
CC: Opendnssec-develop at lists.opendnssec.org; Alexd at nominet.org.uk
Onderwerp: Re: [Opendnssec-develop] Policy configuration checker
 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> But why waste resign resources if you are not going to output 
> it anyway?
> In this example, you can save 23 times resigning that will be 
> unnoticed.
> 
> Matthijs

But the signer should not do anything if the old signed file has the same soa as the unsigned file (and you have <SOA><Serial>keep</Serial></SOA>). Thus not wasting so much cpu.

if (soa_serial_type == keep && signed_zone_soa == unsigned_zone_soa) {
  break_out_and_sleep_for_5_min();
}
do_resign();

// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSoFzGuCjgaNTdVjaAQhRsAf+J2kZuAvfReoYjz2TpVq5t+TTFGpQCZmh
I67WkvWYvjK293i3uX6TXY/VuuJKTKeH9fjthT8LItPMw3h4aUOoNU9NDj7vLitC
IaNueOq+3GqIAIF2Uvs9JpL0QlRVo5hNcwQwTWNleLbFhy+gvVvyGr1A3/1THDnm
+a5dn9Cg2mjJbVKYIuEK0cEuFKA5qpTVnErdpdQwc3LQ7rBIkh8vjBQgKZe+PuGy
7UWA6zkVOdpgCJWLoZIDT0rccddje3ueZycOA+U9+kMxlaUePY5ESYQzo4wQ1qni
1so+V27AuL1TUCnMwSidbtBCJXQ7RhMIVyUVPiLmBdntmv8DCMwfbA==
=Kl6q
-----END PGP SIGNATURE-----


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090818/fa09a80f/attachment.htm>


More information about the Opendnssec-develop mailing list