[Opendnssec-user] Keep timestamp and re-sign

Rickard Bellgrim rickard at opendnssec.org
Tue Mar 20 10:43:25 UTC 2012


> Since we regenerate our zone automatically every 20 minutes we are using "keep" as our serial. I see in the logs that I get regular errors because the signer tries to run but can't because the serial hasn't been incremented. Since we only call the signer if the serial has been incremented, I guess the enforcerd is trying to resign some records or something and failing since the serial hasn't been incremented.

Since you are calling regularly every 20 minutes, then you can have
the re-sign interval higher than that (see kasp.xml). You will call
"ods-signer sign <zone>" before the automatic task kicks in. You will
thus not get the warning that it could not increment the serial.

The ods-enforcerd will never sign anything. That is the job of the ods-signerd.

> This got me thinking, what happens if an error or something means we don't regenerate our zone for a few hour or even days... will the signatures just become invalid since the enforcerd can't update them?

That is the job of the ods-signerd and not ods-enforcerd, but yes, the
signatures will expire if you do not feed it with new serials when
running in the keep mode. The refresh interval determines the minimum
remaining lifetime of the signatures in your zone. Keep it high enough
to give you time to recover the system.

// Rickard



More information about the Opendnssec-user mailing list