[Opendnssec-user] Immediate sign & locking issue (1.4.0a2)

Sander Smeenk ssmeenk at freshdot.net
Mon Jul 2 09:46:11 UTC 2012

Quoting Siôn Lloyd (sion at nominet.org.uk):

> >when i add a zone to ODS i want it signed on disk immediately.
> >This is why i currently add zones with this command sequence:
> >   ods-ksmutil zone add $zone
> >   ods-ksmutil update zonelist
> >   ods-signer sign $zone
> the current enforcer has no facility to process just a single zone,
> so as you point out the update makes it process all the zones that
> it knows about.

OK. That's too bad. But am i correct that i need to run 'update
zonelist' before being able to call 'sign $zone' or is this step
unnecessary and would a signer reload resolve the problems too?

On a different subject;
This issue fits to my perception that the entire introduction of DNSSEC
to the DNS world comes from a registry point-of-vieuw. There has been a
lot of talks from registries implementing DNSSEC with just one (huge)
zone and virtually no information or experience seems to be shared from
registrars who have to deal with thousands of (small) zones.

Not at all to discredit the hard work you guys put in OpenDNSSEC but
this enforcer design implementation of OpenDNSSEC also fits the 'we
only manage one or two zones, not fourteenthousand'-mindset, imho.

> Using MySQL should fix the issue, we do no locking then.

I'll try to switch to MySQL then. Quite possibly the enforcer runs will
speed up significantly from that too. 

Is there any experience on this list with switching to MySQL coming
from SQLite that people want to share?

With regards,
| A box without hinges, key, or lid, yet golden treasure inside is hid.
| 4096R/20CC6CD2 - 6D40 1A20 B9AA 87D4 84C7  FBD6 F3A9 9442 20CC 6CD2

More information about the Opendnssec-user mailing list