[Opendnssec-user]How to disable automatic resiging which may do unnecessary work

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Sep 10 07:48:52 UTC 2012


Hi,

The signer does not understand the notion of disable automatic
resigning. However, you could set the resign period to such a high value
that it will never be reached. For example one year (P1Y). Once you run
ods-signer sign --all, the resign period will be reset to one year again
from that moment in time.

Best regards,
  Matthijs



On 09/10/2012 08:02 AM, Áõ˶ wrote:
> Hi Matthijs,
>>You can either run ods-signer <zone> for each zone, or ods-signer sign
>>- --all to schedule them all. The automatic resigning will still work.
>>The ods-signer sign command is there just to tell OpenDNSSEC there is
>>new zone content. A zone will never be worked on more than once at a
>>time: if a sign task is currently being done, an ods-signer sign
>>command will be scheduled after the current sign task is finished.
>  
> We want to know if there is a way to disable the automatic resigning
> because it will only sign the RRs in the memory which do not contain
> newly add RRs. And I know that the only way that can make the newly
> add RRs signed by ods-signerd is by running ods-signer sign <zone> or
> --all, but the automatic resigning will not stop working even there
> will not be two or more ods-signerd signing the  same zone at the same
> time. But I think the automatic resigning is useless in this situation
> that our RRs are in a  quick changing environment, I want to sign only
> the current status of the zone data which the automatic resigning will
> not satisfy at some time.
>  
> e.g. I want re-load the whole data from db at every 15min and generate new
> zone files, after new zone files are generated, I would run ods-signer
> sign --all
> to sign all the zones. When zones are signed I would make BIND reload them
> immediately, there could be a situation that just after BIND's reloading
> then
> the automatic  resigning get the opportunity to sign the zones in the
> memory, all of
> which are signed just now by manually-executed command, and at this time
> BIND
> will reload the zones again which have the same RRs. So I think it's
> useful to
> have the feature of disable automatic resigning and let
> manually-executed command
> take over the signing function. The advantages are that the RRs are the
> right ones
> in db and free the CPU from resigning the same data again which is set
> off by automatic
> resigning. Or I think the automatic resigning should reload
> the data from /unsigned directory instead of resigning the RRs in the
> memory.
>  
> I hope I have explained clearly, any suggestions?
>  
>  
> Best regards,
> Stuart
>  


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 551 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120910/a41e6f56/attachment.bin>


More information about the Opendnssec-user mailing list