[Opendnssec-develop] RE: Signing back-offs
Matthijs Mekking
matthijs at nlnetlabs.nl
Tue Jul 17 14:13:51 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/13/2012 04:39 PM, Sara Dickinson wrote:
>
> On 12 Jul 2012, at 16:09, Paul Wouters wrote:
>
>> I think something more preventive should be done. For example, if
>> signing has stopped, and running ods-control stop, rm -rf
>> /var/opendnssec/tmp/* ; ods-control start works around an issue,
>> then I see no reason why ODS itself cannot perform the equivalent
>> of this, and only leave the current behaviour of remaining in
>> back-off for developers so they can investigate the bug causing
>> this. The enduser just wants their zone to remain valid.
>
> Matthijs - do you think it would be possible to develop a safe
> mechanism to try to 'force' a signing for a particular zone through
> along the lines Paul suggests? I guess it would be the equivalent
> of the user doing
>> ods-signer clear <zone> ods-signer sign <zone>
We can do that, but why make another feature, if that functionality is
already there? You can run <clear, sign> right now.
>
> If so - could we add an option where a user can specify a parameter
> to control how many failed tries (or how long) the signer waits
> until it resorts to the force mechanism. Without this parameter
> defined then, by default, the system would still continue to back
> off.
I think this is good default behavior. Back off couple of times, if
after a couple of failed retries just force fresh resign. Could you
add the report to jira?
Best regards,
Matthijs
>
> Sara.
>
>
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQBXMfAAoJEA8yVCPsQCW51QkH/AnNGw+QZ9ranbZVbmBg7riQ
d5318tu9YsODCvvPCBAAPO4jigC7/wGVOpBgo4icbsxLXH2VFq/VVfuorXpNA7wP
gIbxatQBrTNTIpGduZSMiVNRHQ8SL9mBXvIzob+W6AkeEsLcSkfQf54nh4LsHV25
okIH7YQjUiUyagREiO+SOzx++bixlOz0NQO9JgywVCZIpZOjjn7hdU+ItRG8iSSu
nbC4RrpzXFn3KNLYnnwCxnIYmLTALpdc2PhwmQ/QjPBO5gc3ydqEHuM+1R6SNTvP
d+gW51N3oWerVRLs5V1ajLTiik8yZKpx1JErAomAxhYuoxR8ylzAlZkhSGYrWwk=
=5Nj/
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list