[Opendnssec-user] Resigning period issue

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Jul 4 07:17:59 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

The probable reason *it looks like* that at some time "signing process
doesn't work" is that there were no new signatures required. The
signing process could reuse all signatures, hence no reason to output
a new zone.

Also, when you run a command like ods-signer update, sign or flush,
this can interfere with the Resign interval.

On why there are two [STATS] logs at the same: It looks like one is
coming from a resign period (the RR count is 0, which means there were
no new RRs) and the other comes from a ods-signer sign example command
(the RR count is 1, which looks like only the SOA RR has been
updated). Are you perhaps running something like ods-signer sign
example from cron?

Hope this clarifies things.

Best regards,
  Matthijs

On 07/04/2012 03:34 AM, 刘硕 wrote:
> Hi Matthijs, I have a zone with "lab" policy in kasp.xml, and its
> default Resign period is "PT10M", but I find the log shows the
> signing is not continuous,bellow is a brief of the log: $ cat
> /var/log/messages | grep "STATS" Jul  4 05:13:05 CST-BJ-104
> ods-signerd: [STATS] example RR[count=0 time=0(sec)] NSEC[count=0
> time=0(sec)] RRSIG[new=3 reused=2 time=0(sec) avg=0(sig/sec)]
> TOTAL[time=0(sec)] Jul  4 05:33:05 CST-BJ-104 ods-signerd: [STATS]
> example RR[count=0 time=0(sec)] NSEC[count=0 time=0(sec)]
> RRSIG[new=3 reused=2 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
>  Jul  4 05:33:05 CST-BJ-104 ods-signerd: [STATS] example RR[count=1
> time=0(sec)] NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3
> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
> 
> Jul  4 05:43:05 CST-BJ-104 ods-signerd: [STATS] example RR[count=0
> time=0(sec)] NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3
> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 06:03:05
> CST-BJ-104 ods-signerd: [STATS] example RR[count=0 time=0(sec)]
> NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3 time=0(sec)
> avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 06:13:05 CST-BJ-104
> ods-signerd: [STATS] example RR[count=0 time=0(sec)] NSEC[count=0
> time=0(sec)] RRSIG[new=3 reused=2 time=0(sec) avg=0(sig/sec)]
> TOTAL[time=0(sec)] Jul  4 06:23:05 CST-BJ-104 ods-signerd: [STATS]
> example RR[count=0 time=0(sec)] NSEC[count=0 time=0(sec)]
> RRSIG[new=2 reused=3 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
>  Jul  4 06:33:06 CST-BJ-104 ods-signerd: [STATS] example RR[count=1
> time=0(sec)] NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3
> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 06:43:06
> CST-BJ-104 ods-signerd: [STATS] example RR[count=0 time=0(sec)]
> NSEC[count=0 time=0(sec)] RRSIG[new=3 reused=2 time=0(sec)
> avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 07:03:06 CST-BJ-104
> ods-signerd: [STATS] example RR[count=0 time=0(sec)] NSEC[count=0
> time=0(sec)] RRSIG[new=2 reused=3 time=0(sec) avg=0(sig/sec)]
> TOTAL[time=0(sec)] Jul  4 07:13:06 CST-BJ-104 ods-signerd: [STATS]
> example RR[count=0 time=0(sec)] NSEC[count=0 time=0(sec)]
> RRSIG[new=3 reused=2 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
>  Jul  4 07:23:06 CST-BJ-104 ods-signerd: [STATS] example RR[count=0
> time=0(sec)] NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3
> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 07:33:06
> CST-BJ-104 ods-signerd: [STATS] example RR[count=0 time=0(sec)]
> NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3 time=0(sec)
> avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 07:33:06 CST-BJ-104
> ods-signerd: [STATS] example RR[count=1 time=0(sec)] NSEC[count=0
> time=0(sec)] RRSIG[new=1 reused=4 time=0(sec) avg=0(sig/sec)]
> TOTAL[time=0(sec)] Jul  4 07:53:06 CST-BJ-104 ods-signerd: [STATS]
> example RR[count=0 time=0(sec)] NSEC[count=0 time=0(sec)]
> RRSIG[new=3 reused=2 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
>  Jul  4 08:03:06 CST-BJ-104 ods-signerd: [STATS] example RR[count=0
> time=0(sec)] NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3
> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 08:13:06
> CST-BJ-104 ods-signerd: [STATS] example RR[count=0 time=0(sec)]
> NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3 time=0(sec)
> avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 08:23:06 CST-BJ-104
> ods-signerd: [STATS] example RR[count=0 time=0(sec)] NSEC[count=0
> time=0(sec)] RRSIG[new=3 reused=2 time=0(sec) avg=0(sig/sec)]
> TOTAL[time=0(sec)] Jul  4 08:33:06 CST-BJ-104 ods-signerd: [STATS]
> example RR[count=0 time=0(sec)] NSEC[count=0 time=0(sec)]
> RRSIG[new=2 reused=3 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
>  Jul  4 08:43:06 CST-BJ-104 ods-signerd: [STATS] example RR[count=0
> time=0(sec)] NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3
> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 08:53:06
> CST-BJ-104 ods-signerd: [STATS] example RR[count=0 time=0(sec)]
> NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3 time=0(sec)
> avg=0(sig/sec)] TOTAL[time=0(sec)] Jul  4 09:03:06 CST-BJ-104
> ods-signerd: [STATS] example RR[count=0 time=0(sec)] NSEC[count=0
> time=0(sec)] RRSIG[new=2 reused=3 time=0(sec) avg=0(sig/sec)]
> TOTAL[time=0(sec)] Jul  4 09:09:58 CST-BJ-104 ods-signerd: [STATS]
> example RR[count=1 time=0(sec)] NSEC[count=0 time=0(sec)]
> RRSIG[new=3 reused=2 time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
>  Jul  4 09:19:58 CST-BJ-104 ods-signerd: [STATS] example RR[count=0
> time=0(sec)] NSEC[count=0 time=0(sec)] RRSIG[new=2 reused=3
> time=0(sec) avg=0(sig/sec)] TOTAL[time=0(sec)]
> 
> 
> As can be seen from above, at some time signing process doesn't
> work ,such as 05:23:05,05:53:05,etc.And at 05:33:05, there are even
> two signing record! I don't know what's the problem, if the
> automatic resigning doesn't do its work as expected, I would like
> to add the ods-signer command in crontab,but I don't think it's a
> good idea, because there would be an situation that both the
> crontab and the opendnssec's signerd sign the zone file. Any
> ideas?
> 
> Thank you all!
> 
> Best regards, Stuart 
> ------------------------------------------------------------------------
>
> 
Stuart Lau
> 
> 
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJP8+4nAAoJEA8yVCPsQCW51kUIAKHiAZv8oMV2sCv7bHWCZXWd
GGhvxKCaGmfewjaOsra6AsxsRT9tT2+Tamttnxo8uYXqzxJDhL/7/aoGD0jsVThI
fN1Zs5AX59lDKu7QV1kZIhogfvAI4iqYLx5Zj8a7GBlh9rQ4lMgiitiW7nvF+RTW
qHdEaq5vY89CmpHnuUd+ad7Vmo4FBAjR4vIEtwfYcyhnhth9j9GhTG6warNjV/TH
cbz+QuYOjNu2rjbqa/cVbPdxt9yNyW8eoGU8La3aIzPQ+5996PN58WTAaGd9FIe9
dKcpDP8+06iLmcqsYLLxOEIXlZcZqKJC57+WReFkfgO9xKCLyyYQsh83ZJZnUUI=
=ZJHP
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list