[Opendnssec-user] Keep timestamp and re-sign

Einar Bjarni Halldórsson einar at isnic.is
Mon Mar 19 16:05:42 UTC 2012


Hi,

Since we regenerate our zone automatically every 20 minutes we are using "keep" as our serial. I see in the logs that I get regular errors because the signer tries to run but can't because the serial hasn't been incremented. Since we only call the signer if the serial has been incremented, I guess the enforcerd is trying to resign some records or something and failing since the serial hasn't been incremented.

This got me thinking, what happens if an error or something means we don't regenerate our zone for a few hour or even days... will the signatures just become invalid since the enforcerd can't update them? 

.einar


More information about the Opendnssec-user mailing list