[Opendnssec-develop] Zone re-sign interval and SOA serial

Jelte Jansen jelte at NLnetLabs.nl
Wed May 20 08:31:42 UTC 2009

Hash: SHA1

Rickard Bondesson wrote:
>> If the re-sign interval is set to 4 hours and the signer 
>> receives a new zone file every second hour (with updated SOA 
>> serial), will the internal counter for the re-sign interval 
>> be reset when the updated zone is signed? And thus will new 
>> signatures newer be generated out-of-sync with the zone 
>> transfers? And no SOA serial is needed to be updated within 
>> the signer?
> Jelte do you have an answer for this? Will the Signer Engine reset the re-sign timer when a zone update arrives? Thus will the zone output always be in sync with the zone input in this scenario?

Currently, when the engine gets the signal that zone input has changed, it will
restart the entire signing process, including recreating all signatures, so in
this scenario, it will never actually reach the resign process. So the soa
shouldn't need to be changed. This could be done way more efficiently, but that
would almost involve the incremental signing procedure planned for version 2. It
does have the upshot that this scenario works 'for free' ;)

Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-develop mailing list