[Opendnssec-user] Some questions about signing zone

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Jul 19 13:07:34 UTC 2012

Hash: SHA1


On 07/19/2012 11:50 AM, Javier Jiménez Huedo wrote:
> Hi Matthijs,
>> Hi Javier,
>> On 07/11/2012 02:53 PM, Javier Jiménez Huedo wrote:
>>> Hello,
>>> I have some doubts about how OpenDNSSEC sign the zones.
>>> I configured the file "kasp.xml" with the following
>>> parameters:
>>> <Resign>PT5H</Resign>
>>> <Refresh>P2D</Refresh>
>>> I think this will cause the daemon "signer" to be executed
>>> every 5 hours.
>> The signer daemon will check for signing the zones with this
>> policy every 5 hours, yes.
> So, Which file is checked by signer daemon every 5 hours? input
> zone file (unsigned) or output zone file (signed file) defined in 
> "zonelist.xml" file?

It maintains state internally and in the working directory.

>>> My questions are:
>>> If I modify the zone file "db_unsigned.mydomain" updating the 
>>> serial and adding some new records "IN A", after waiting for 5 
>>> hours the signed file "db_signed.mydomain" is not updated (any
>>> of the new entries were added). However, if I run the command 
>>> "ods-signer sign mydomain", forcing the sign process,  when it 
>>> finish the signed zone file "db_signed.mydomain" is updated
>>> with new entries.
>> After you made changes in the unsigned zone file, you explicitly
>> have to run "ods-signer sign mydomain" to get the updates in the
>> zone mydomain signed. In other words, the command "ods-signer
>> sign mydomain" makes the signer read the unsigned zone.
> Ok. New entries in input zone file (unsigned) are NOT checked and 
> signed every resign-interval (5 Hours), is it correct?

Correct. You need to run 'ods-signer sign <zone>' specifically to
introduce the new entries.

>> After 5 hours of waiting, probably no signatures have expired or
>> are 2 days from expiring (<Refresh>P2D</Refresh>), so the signed
>> zone does not require to be updated. The logs may provide you
>> with a hint that no new signed zone file was necessary, depending
>> on the verbosity settings.
> Unsigned zone file (input file) is only signed if there are any 
> expired entries or if entries are going to expire (during the 2
> days of "refresh interval"). If any of these conditions is true and
> there is new entries on Unsigned zone file (input file), are going
> these new entries to be signed too?

The conditions are not true, as explained above.

> Are expired entries info stored in SQlite3 database? or is signer 
> daemon who checks every entry in the signed zone file (out file)?
> IF every entry is checked on output file, I understood that new
> entries are not going to be signed, correct?

The signer does not use the sqlite3 database, that is information for
the enforcer. The signer checks every entry in the signed internal
zone file, and decides to output a new signed zone file if there was a
new signature.

To summarize:

- - To add new RRs, or remove RRs, run 'ods-signer sign <zone>'

- - Every resign interval, the signer checks if a new signed zone file
is required. This does not mean a new signed zone file is written
*every* resign interval.

Best regards,

>> By the way, you don't have to update the serial in the unsigned
>> zone file, OpenDNSSEC does that for you (unless you use the kasp
>> parameter SOA/Serial "keep").
>>> Is it always necessary to run "ods-signer sign mydomain” in
>>> order to update the signed zone file (db_signed.mydomain)? If
>>> not, is any other additional configuration need to do it
>>> automatically every 5 hours?
>> Only if you have made changes to the unsigned zone file.
>>> In the other hand, it seems strange that every time when signer
>>> ‘s daemon have to run sign operation, all the entries of the
>>> unsigned zone file ("db.unsigned.mydomain") have to be signed
>>> again. That is, each time that the signers acts, all the
>>> entries are signed again (not only the new entries detected) to
>>> generate the signed file. On this case, the following questions
>>> arose:
>> During the sign operation, the signer will check each RRset and
>> look if it requires a new signature. So only RRsets that don't
>> have a (fresh) signature will be resigned.
>>> 3) What would happen with a zone file "db_unsigned.mydomain" 
>>> (unsigned) with 5 million records? Would be necessary to sing
>>> all the entries every 5 hours even if they were signed
>>> previously with a not expired ZSK?
>> Nope. Though all RRsets will be checked to see if they need to
>> be resigned.
>>> Thank you very much.
>> You are welcome.
> Thank you very much again :-)

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the Opendnssec-user mailing list