[Opendnssec-develop] Zone re-sign interval and SOA serial
Rickard Bondesson
rickard.bondesson at iis.se
Wed May 20 09:06:51 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
> Currently, when the engine gets the signal that zone input
> has changed, it will restart the entire signing process,
> including recreating all signatures, so in this scenario, it
> will never actually reach the resign process. So the soa
> shouldn't need to be changed. This could be done way more
> efficiently, but that would almost involve the incremental
> signing procedure planned for version 2. It does have the
> upshot that this scenario works 'for free' ;)
This is a show-stopper for the deployment at .SE with the first version of OpenDNSSEC
Since this is how our current scenario looks like. And I do not think our slave server operators will be so happy when we send 2 x our zone (IXFR) every second hour from our distribution points.
Will it be possible to not drop the current state/signatures every time the zone gets updated? When a change happen, create a diff, and/remove signatures/nsec according to the diff, update old signatures?
// Rickard
-----BEGIN PGP SIGNATURE-----
Version: 9.8.3 (Build 4028)
Charset: utf-8
wsBVAwUBShPIK+CjgaNTdVjaAQiDvQgAneKk2An0yZh4ccM3+gQuQoZE19AyMByf
dXW07TTnlVdcv9p2SEcLeZ0F/wBveqwx1QcBqp41rAcs5fGflDnkTPQARg3uAyCO
fTJxwoamsc9GAkQs0ZYl+28b2zJCja8JBr/hIFeEoNJRY72PI/RYtzN3RFK7YupZ
NzoidqV3TpXGdWQVJHl+myZl4oMMH0pFr4S9ZTOXorb55deBfSO1Yi4UR+2kuBRi
3D1+VVQt1DyTM1dz4tGi5gOroZPORQIJvEUNfcmrydYV9JCaTbMyCgPKWcJULTZX
NrfLXF5JfrOt7+ok1sJCk4w+smpanbQeqHQL/CDUGyIlYEyxI40M5w==
=Uotr
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list