[Opendnssec-develop] RE: Signing back-offs

Sara Dickinson sara at sinodun.com
Wed Jul 18 12:19:01 UTC 2012


On 17 Jul 2012, at 15:13, Matthijs Mekking wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 07/13/2012 04:39 PM, Sara Dickinson wrote:
>> 
>> On 12 Jul 2012, at 16:09, Paul Wouters wrote:
>> 
>>> I think something more preventive should be done. For example, if
>>> signing has stopped, and running ods-control stop, rm -rf
>>> /var/opendnssec/tmp/* ; ods-control start works around an issue,
>>> then I see no reason why ODS itself cannot perform the equivalent
>>> of this, and only leave the current behaviour of remaining in
>>> back-off for developers so they can investigate the bug causing
>>> this. The enduser just wants their zone to remain valid.
>> 
>> Matthijs - do you think it would be possible to develop a safe
>> mechanism to try to 'force' a signing for a particular zone through
>> along the lines Paul suggests? I guess it would be the equivalent
>> of the user doing
>>> ods-signer clear <zone> ods-signer sign <zone>
> 
> We can do that, but why make another feature, if that functionality is
> already there? You can run <clear, sign> right now.

I meant for internal use in the context below, not another CLI command
but I didn't make this clear - sorry.

Paul - thanks for this suggestion.

> 
>> 
>> If so - could we add an option where a user can specify a parameter
>> to control how many failed tries (or how long) the signer waits
>> until it resorts to the force mechanism. Without this parameter
>> defined then, by default, the system would still continue to back
>> off.
> 
> I think this is good default behavior. Back off couple of times, if
> after a couple of failed retries just force fresh resign. Could you
> add the report to jira?

https://issues.opendnssec.org/browse/OPENDNSSEC-305

It is assigned to 1.4.1 for now but we can review this.

> 
> Best regards,
>  Matthijs
> 
>> 
>> Sara.
>> 
>> 
>> 
>> 
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.11 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQEcBAEBAgAGBQJQBXMfAAoJEA8yVCPsQCW51QkH/AnNGw+QZ9ranbZVbmBg7riQ
> d5318tu9YsODCvvPCBAAPO4jigC7/wGVOpBgo4icbsxLXH2VFq/VVfuorXpNA7wP
> gIbxatQBrTNTIpGduZSMiVNRHQ8SL9mBXvIzob+W6AkeEsLcSkfQf54nh4LsHV25
> okIH7YQjUiUyagREiO+SOzx++bixlOz0NQO9JgywVCZIpZOjjn7hdU+ItRG8iSSu
> nbC4RrpzXFn3KNLYnnwCxnIYmLTALpdc2PhwmQ/QjPBO5gc3ydqEHuM+1R6SNTvP
> d+gW51N3oWerVRLs5V1ajLTiik8yZKpx1JErAomAxhYuoxR8ylzAlZkhSGYrWwk=
> =5Nj/
> -----END PGP SIGNATURE-----




More information about the Opendnssec-develop mailing list