[Opendnssec-develop] Zone re-sign interval and SOA serial

Jelte Jansen jelte at NLnetLabs.nl
Wed May 20 09:09:41 UTC 2009

Hash: SHA1

Rickard Bondesson wrote:
> This is a show-stopper for the deployment at .SE with the first version of OpenDNSSEC
> Since this is how our current scenario looks like. And I do not think our slave server operators will be so happy when we send 2 x our zone (IXFR) every second hour from our distribution points.
> Will it be possible to not drop the current state/signatures every time the zone gets updated? When a change happen, create a diff, and/remove signatures/nsec according to the diff, update old signatures?

i was thinking about a few trick to accomplish something like that, but haven't
had time to try them out yet

in short it would be running through the same sorting/nseccing process, but let
the signer accept an optional 'previous' file; if there is an RR in both files;
look in the second for a possibly-valid sig, and use that.

i'll try it out once libhsm is done enough to work with


Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


More information about the Opendnssec-develop mailing list