[Opendnssec-develop] Manual resigning

Sion Lloyd sion at nominet.org.uk
Thu Jul 15 11:08:38 UTC 2010

> We are testing a scenario where resigning is done manually. So every time a
> new zone has been created we run "ods-signer sign zone". We set "resign"
> in our kasp.xml to P10Y. This way we want to ensure the signing starts
> directly after the new zone has been generated and put in place.
> One thing bothers us though. Apparently we need the enforcer to run in
> order to initiate the rollover. But even though we have a P10Y resign set,
> the enforcer initiated a signing of the zone. Logging is enclosed in the
> attachment.
> Is there any way to avoid the Enforcer to initiate signing of zones?

Not in any nice way no, the enforcer will only kick off the signer if it sees 
that the signconf has changed however.

If you _really_ want to do this then you could alter the define of 
SIGNER_CLI_UPDATE in config.h. I couldn't recommend doing that though.

You could also run the enforcer at roughly the signature validity interval, so 
that you would need to resign then anyway?


More information about the Opendnssec-develop mailing list