[Opendnssec-develop] Policy configuration checker
Rickard Bondesson
rickard.bondesson at iis.se
Tue Aug 18 11:10:51 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Do you mean to say here that a zone with very static data
> never needs to be resigned, like f.e. a key rollover ?
> I think a static zone needs regular resigning as well, and
> there are simply 3 situations:
> -Zone changes occur faster than resigning, and faster than
> publishing -Zone changes occur faster than resigning, but
> slower than publishing -Resigning occurs faster than zone changes
>
> There are situations where changes to a zone are accepted,
> but not resigned because it's not publishing time yet.
> I think that's the parameter to play with. Signing only needs
> to be done when it's publishing time, or when a rollover is sceduled.
>
> Antoin Verschuren
What I mean is that a zone should not be published if we have not received a new serial (since the last signing) when we are in the "SOA keep"-mode. Refreshed signatures may be created but not published in this case.
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBSoqMO+CjgaNTdVjaAQjTPwf/el/0PpZE7+6ILlUjB591oB6Yo9Sibi7n
XL9WWmzGWx78Dy0z4AQU0BBrOuOvKBCW145QMtq6/r0GSIpD3lYnUsJAV0Nm7xwi
g0sR6xhIM1CfmtLAKrC9EuXIHr++Wf/scH6OrZr941mJ1bVLU4srVRVvr+1Ifgyi
FJw1xXXkwYszfRTYjQQ0IX29xAD7HXK1DUMm/fhW1MlxLWA4D+a7b6zuxFv9B7Lj
R4oIPlUoNfqKmwRu6+Kh+L2k7ETqMD2xNKuigi1Km60pO48VEhdeCXg/g5bO332+
gairTaNvGT1D9HBf85Aq4PBpJttLAve2Hg2Ce1OZeA8iU8EsBsYmOA==
=Z3dY
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list