[Opendnssec-develop] Zone re-sign interval and SOA serial
jelte at NLnetLabs.nl
Wed May 20 09:09:41 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Rickard Bondesson wrote:
> This is a show-stopper for the deployment at .SE with the first version of OpenDNSSEC
> Since this is how our current scenario looks like. And I do not think our slave server operators will be so happy when we send 2 x our zone (IXFR) every second hour from our distribution points.
> Will it be possible to not drop the current state/signatures every time the zone gets updated? When a change happen, create a diff, and/remove signatures/nsec according to the diff, update old signatures?
i was thinking about a few trick to accomplish something like that, but haven't
had time to try them out yet
in short it would be running through the same sorting/nseccing process, but let
the signer accept an optional 'previous' file; if there is an RR in both files;
look in the second for a possibly-valid sig, and use that.
i'll try it out once libhsm is done enough to work with
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop