[Opendnssec-user]How to disable automatic resiging which may do unnecessary work
=?us-ascii?B?wfXLtg==?=
shuoleo at 126.com
Mon Sep 10 06:02:09 UTC 2012
Hi Matthijs,
>You can either run ods-signer <zone> for each zone, or ods-signer sign
>- --all to schedule them all. The automatic resigning will still work.
>The ods-signer sign command is there just to tell OpenDNSSEC there is
>new zone content. A zone will never be worked on more than once at a
>time: if a sign task is currently being done, an ods-signer sign
>command will be scheduled after the current sign task is finished.
We want to know if there is a way to disable the automatic resigning
because it will only sign the RRs in the memory which do not contain
newly add RRs. And I know that the only way that can make the newly
add RRs signed by ods-signerd is by running ods-signer sign <zone> or
--all, but the automatic resigning will not stop working even there
will not be two or more ods-signerd signing the same zone at the same
time. But I think the automatic resigning is useless in this situation
that our RRs are in a quick changing environment, I want to sign only
the current status of the zone data which the automatic resigning will
not satisfy at some time.
e.g. I want re-load the whole data from db at every 15min and generate new
zone files, after new zone files are generated, I would run ods-signer sign --all
to sign all the zones. When zones are signed I would make BIND reload them
immediately, there could be a situation that just after BIND's reloading then
the automatic resigning get the opportunity to sign the zones in the memory, all of
which are signed just now by manually-executed command, and at this time BIND
will reload the zones again which have the same RRs. So I think it's useful to
have the feature of disable automatic resigning and let manually-executed command
take over the signing function. The advantages are that the RRs are the right ones
in db and free the CPU from resigning the same data again which is set off by automatic
resigning. Or I think the automatic resigning should reload
the data from /unsigned directory instead of resigning the RRs in the memory.
I hope I have explained clearly, any suggestions?
Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120910/54fa0b7b/attachment.htm>
More information about the Opendnssec-user
mailing list