[Opendnssec-user] Some questions about signing zone

Javier Jiménez Huedo bodegax at gmail.com
Thu Jul 19 09:50:57 UTC 2012

Hi Matthijs,

> Hi Javier,
> On 07/11/2012 02:53 PM, Javier Jiménez Huedo wrote:
>> Hello,
>> I have some doubts about how OpenDNSSEC sign the zones.
>> I configured the file "kasp.xml" with the following parameters:
>> <Resign>PT5H</Resign>
>> <Refresh>P2D</Refresh>
>> I think this will cause the daemon "signer" to be executed every 5
>> hours.
> The signer daemon will check for signing the zones with this policy
> every 5 hours, yes.

So, Which file is checked by signer daemon every 5 hours? input zone
file (unsigned) or output zone file (signed file) defined in
"zonelist.xml" file?

>> My questions are:
>> If I modify the zone file "db_unsigned.mydomain" updating the
>> serial and adding some new records "IN A", after waiting for 5
>> hours the signed file "db_signed.mydomain" is not updated (any of
>> the new entries were added). However, if I run the command
>> "ods-signer sign mydomain", forcing the sign process,  when it
>> finish the signed zone file "db_signed.mydomain" is updated with
>> new entries.
> After you made changes in the unsigned zone file, you explicitly have
> to run "ods-signer sign mydomain" to get the updates in the zone
> mydomain signed. In other words, the command "ods-signer sign
> mydomain" makes the signer read the unsigned zone.

Ok. New entries in input zone file (unsigned) are NOT checked and
signed every resign-interval (5 Hours), is it correct?

> After 5 hours of waiting, probably no signatures have expired or are 2
> days from expiring (<Refresh>P2D</Refresh>), so the signed zone does
> not require to be updated. The logs may provide you with a hint that
> no new signed zone file was necessary, depending on the verbosity
> settings.

Unsigned zone file (input file) is only signed if there are any
expired entries or if entries are going to expire (during the 2 days
of "refresh interval"). If any of these conditions is true and there
is new entries on Unsigned zone file (input file), are going these new
entries to be signed too?

Are expired entries info stored in SQlite3 database? or is signer
daemon who checks every entry in the signed zone file (out file)? IF
every entry is checked on output file, I understood that new entries
are not going to be signed, correct?

> By the way, you don't have to update the serial in the unsigned zone
> file, OpenDNSSEC does that for you (unless you use the kasp parameter
> SOA/Serial "keep").
>> Is it always necessary to run "ods-signer sign mydomain” in order
>> to update the signed zone file (db_signed.mydomain)? If not, is any
>> other additional configuration need to do it automatically every 5
>> hours?
> Only if you have made changes to the unsigned zone file.
>> In the other hand, it seems strange that every time when signer ‘s
>> daemon have to run sign operation, all the entries of the unsigned
>> zone file ("db.unsigned.mydomain") have to be signed again. That
>> is, each time that the signers acts, all the entries are signed
>> again (not only the new entries detected) to generate the signed
>> file. On this case, the following questions arose:
> During the sign operation, the signer will check each RRset and look
> if it requires a new signature. So only RRsets that don't have a
> (fresh) signature will be resigned.
>> 3) What would happen with a zone file "db_unsigned.mydomain"
>> (unsigned) with 5 million records? Would be necessary to sing all
>> the entries every 5 hours even if they were signed previously with
>> a not expired ZSK?
> Nope. Though all RRsets will be checked to see if they need to be
> resigned.
>> Thank you very much.
> You are welcome.

Thank you very much again :-)

More information about the Opendnssec-user mailing list