[Opendnssec-develop] RE: Signing back-offs

Sara Dickinson sara at sinodun.com
Fri Jul 13 14:39:50 UTC 2012

On 12 Jul 2012, at 16:09, Paul Wouters wrote:

> I think something more preventive should be done. For example, if signing
> has stopped, and running ods-control stop, rm -rf /var/opendnssec/tmp/*
> ; ods-control start works around an issue, then I see no reason why ODS
> itself cannot perform the equivalent of this, and only leave the current
> behaviour of remaining in back-off for developers so they can investigate
> the bug causing this. The enduser just wants their zone to remain valid.

Matthijs - do you think it would be possible to develop a safe mechanism to try to 'force' a signing for a particular zone through along the lines Paul suggests? I guess it would be the equivalent of the user doing
> ods-signer clear <zone>
> ods-signer sign <zone>

If so - could we add an option where a user can specify a parameter to control how many failed tries (or how long) the signer waits until it resorts to the force mechanism. Without this parameter defined then, by default, the system would still continue to back off.


More information about the Opendnssec-develop mailing list