[Opendnssec-develop] Policy configuration checker

Roy Arends roy at nominet.org.uk
Tue Aug 18 11:54:03 UTC 2009


"Rickard Bondesson" <rickard.bondesson at iis.se> wrote on 08/18/2009 
01:41:19 PM:

> > In practise, I would not require a re-sign to be a 
> > re-publish. Note that re-publish might be far more costly 
> > than a re-sign, if you have to pay secondary services for transit. 
> > 
> > Roy
> > 
> 
> Do I say that? ...

I was not arguing for or against any statement made, but wanted to speak 
my mind about intent. But to answer your question: No. I think we are in 
violent agreement. You said "a zone should not be published if we have not 
received a new serial". Note that a zone is either published or not. The 
soa serial number is interesting for _secondary_ servers, not primary 
servers. I just wanted to make sure folks understand the premise of the 
serial number in an SOA. 

> Re-sign will not require re-publish. 

Yes.

> Re-publishing of the signed 
> zone will only happen when the unsigned zone has been assigned a new
> SOA serial.
>
> E.g. the unsigned zone will be updated every second hour with new 
> content and SOA serial. The signer continuously run, but will only 
> be able to re-publish the zone every second hour, because we are in 
> the "SOA serial keep"-mode.

Exactly.

Roy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090818/9958cef9/attachment.htm>


More information about the Opendnssec-develop mailing list