[Opendnssec-user] Some questions about signing zone

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Jul 11 14:22:44 UTC 2012

Hash: SHA1

Hi Javier,

On 07/11/2012 02:53 PM, Javier Jiménez Huedo wrote:
> Hello,
> I have some doubts about how OpenDNSSEC sign the zones.
> I configured the file "kasp.xml" with the following parameters:
> <Resign>PT5H</Resign>
> <Refresh>P2D</Refresh>
> I think this will cause the daemon "signer" to be executed every 5
> hours.

The signer daemon will check for signing the zones with this policy
every 5 hours, yes.

> My questions are:
> If I modify the zone file "db_unsigned.mydomain" updating the
> serial and adding some new records "IN A", after waiting for 5
> hours the signed file "db_signed.mydomain" is not updated (any of
> the new entries were added). However, if I run the command
> "ods-signer sign mydomain", forcing the sign process,  when it
> finish the signed zone file "db_signed.mydomain" is updated with
> new entries.

After you made changes in the unsigned zone file, you explicitly have
to run "ods-signer sign mydomain" to get the updates in the zone
mydomain signed. In other words, the command "ods-signer sign
mydomain" makes the signer read the unsigned zone.

After 5 hours of waiting, probably no signatures have expired or are 2
days from expiring (<Refresh>P2D</Refresh>), so the signed zone does
not require to be updated. The logs may provide you with a hint that
no new signed zone file was necessary, depending on the verbosity

By the way, you don't have to update the serial in the unsigned zone
file, OpenDNSSEC does that for you (unless you use the kasp parameter
SOA/Serial "keep").

> Is it always necessary to run "ods-signer sign mydomain” in order
> to update the signed zone file (db_signed.mydomain)? If not, is any
> other additional configuration need to do it automatically every 5
> hours?

Only if you have made changes to the unsigned zone file.

> In the other hand, it seems strange that every time when signer ‘s 
> daemon have to run sign operation, all the entries of the unsigned 
> zone file ("db.unsigned.mydomain") have to be signed again. That
> is, each time that the signers acts, all the entries are signed
> again (not only the new entries detected) to generate the signed
> file. On this case, the following questions arose:

During the sign operation, the signer will check each RRset and look
if it requires a new signature. So only RRsets that don't have a
(fresh) signature will be resigned.

> 3) What would happen with a zone file "db_unsigned.mydomain" 
> (unsigned) with 5 million records? Would be necessary to sing all
> the entries every 5 hours even if they were signed previously with
> a not expired ZSK?

Nope. Though all RRsets will be checked to see if they need to be

> Thank you very much.

You are welcome.

Best regards,


> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org 
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list