[Opendnssec-develop] Zone re-sign interval and SOA serial
Jelte Jansen
jelte at NLnetLabs.nl
Wed May 20 08:31:42 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rickard Bondesson wrote:
>> If the re-sign interval is set to 4 hours and the signer
>> receives a new zone file every second hour (with updated SOA
>> serial), will the internal counter for the re-sign interval
>> be reset when the updated zone is signed? And thus will new
>> signatures newer be generated out-of-sync with the zone
>> transfers? And no SOA serial is needed to be updated within
>> the signer?
>
> Jelte do you have an answer for this? Will the Signer Engine reset the re-sign timer when a zone update arrives? Thus will the zone output always be in sync with the zone input in this scenario?
>
Currently, when the engine gets the signal that zone input has changed, it will
restart the entire signing process, including recreating all signatures, so in
this scenario, it will never actually reach the resign process. So the soa
shouldn't need to be changed. This could be done way more efficiently, but that
would almost involve the incremental signing procedure planned for version 2. It
does have the upshot that this scenario works 'for free' ;)
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkoTv+sACgkQ4nZCKsdOncUg7QCgi4tpWOSFINBgmOR2tfMKVgwo
PrMAn0fF9MRUME3whJZemHnC2By7/jRQ
=u0dw
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list