[Opendnssec-user]How to determin when signing zone work ends

[=?us-ascii?B?wfXLtg==?=]

Hi Matthijs,

I'm now using Adapter File which is more stable than Adapter DNS.
The work flow is as follows:
1.generate zone files from db and saved in ./unsigned/
2.when all the zone files are ready, run ods-signer sign --all
3.monitor whether there are signed zones in ./signed/ and scp immediately signed 
zone from ./signed to hidden master BIND , after transfer completeed using "rndc reload"
to make BIND reload the newly signed zone file
4.test whether 
4.do the above steps every 15 mins

The problem is sometimes the zone files in the ./singed/ may be not signed by ods-signer 
sign --all, it may be signed by automatic resign, so sometimes the RRs in the zones are
not the exact ones in db. So as you suggested, I have changed the resign value to a relatively
large number but I find that I have to changed refresh, validity/default,validity/denial, too,
so I can not set the resign period to 1Y for example, because refresh should be larger than resign
and validity/default and validity/denial should be larger than refresh. I think the validity is 30D
which is commonly used by registries, so can you recommend other values?

And I knew that if a zone is not signed compeltely, ods-signerd will only create a <zone>.tmp file in
./signed/, but in my test I have found that a zone has been scped to the hidden master with less size
than its supposed size, and its file name is test not test.tmp, so my program is sure that it's signed completely
and transfer it to the destination. Is there a possibility that ods-signerd signs zone file not completely and
make <zone>.tmp to <zone>? If not, I can hardly understand why the signed file is more less than the unsigned one.

Best regards,
Stuart
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120911/230604e5/attachment.htm>