[Opendnssec-develop] Policy configuration checker
rickard.bondesson at iis.se
Tue Aug 18 11:10:51 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
> Do you mean to say here that a zone with very static data
> never needs to be resigned, like f.e. a key rollover ?
> I think a static zone needs regular resigning as well, and
> there are simply 3 situations:
> -Zone changes occur faster than resigning, and faster than
> publishing -Zone changes occur faster than resigning, but
> slower than publishing -Resigning occurs faster than zone changes
> There are situations where changes to a zone are accepted,
> but not resigned because it's not publishing time yet.
> I think that's the parameter to play with. Signing only needs
> to be done when it's publishing time, or when a rollover is sceduled.
> Antoin Verschuren
What I mean is that a zone should not be published if we have not received a new serial (since the last signing) when we are in the "SOA keep"-mode. Refreshed signatures may be created but not published in this case.
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop