[Opendnssec-develop] ODS signs a zone twice initially

sion at nominet.org.uk sion at nominet.org.uk
Thu Mar 4 15:13:43 UTC 2010


> It seems like ODS always signs a zone twice initially. Is that as
> intended? I didn’t expect this. Resign was set to 2 hours, but the
> signing only took 41 minutes. So that shouldn’t be the cause.

It looks to me like the enforcer is generating new keys and publishing
them; however the signer is maybe picking up an old signconf file and using
the keys in that.

When the enforcer finishes it sees that the signconf has changed and kicks
off the signer a second time.

Note that running "ods-ksmutil setup" does not remove files from the
signconf directory _or_ from softhsm, so the signer will happily run with
the old information.

Sion


More information about the Opendnssec-develop mailing list