[Opendnssec-user] Some questions about signing zone

Javier Jiménez Huedo bodegax at gmail.com
Wed Jul 11 12:53:39 UTC 2012


I have some doubts about how OpenDNSSEC sign the zones.

I configured the file "kasp.xml" with the following parameters:



I think this will cause the daemon "signer" to be executed every 5 hours.

My questions are:

If I modify the zone file "db_unsigned.mydomain" updating the serial
and adding some new records "IN A", after waiting for 5 hours the
signed file "db_signed.mydomain" is not updated (any of the new
entries were added).
However, if I run the command "ods-signer sign mydomain", forcing the
sign process,  when it finish the signed zone file
"db_signed.mydomain" is updated with new entries.

Is it always necessary to run "ods-signer sign mydomain” in order to
update the signed zone file (db_signed.mydomain)? If not, is any other
additional configuration need to do it automatically every 5 hours?

In the other hand, it seems strange that every time when signer ‘s
daemon have to run sign operation, all the entries of the unsigned
zone file ("db.unsigned.mydomain") have to be signed again. That is,
each time that the signers acts, all the entries are signed again (not
only the new entries detected) to generate the signed file. On this
case, the following questions arose:

3) What would happen with a zone file "db_unsigned.mydomain"
(unsigned) with 5 million records? Would be necessary to sing all the
entries every 5 hours even if they were signed previously with a not
expired ZSK?

Thank you very much.

More information about the Opendnssec-user mailing list