[Opendnssec-user]How to determin when signing zone work ends
Sara Dickinson
sara at sinodun.com
Wed Sep 12 09:53:56 UTC 2012
On 11 Sep 2012, at 07:08, wfXLtg== wrote:
> Hi Matthijs,
>
> I'm now using Adapter File which is more stable than Adapter DNS.
> The work flow is as follows:
> 1.generate zone files from db and saved in ./unsigned/
> 2.when all the zone files are ready, run ods-signer sign --all
> 3.monitor whether there are signed zones in ./signed/ and scp immediately signed
> zone from ./signed to hidden master BIND , after transfer completeed using "rndc reload"
Are you using the <NotifyCommand> mechanism for this? This is the best way to determine when the
signing is complete.
> to make BIND reload the newly signed zone file
> 4.test whether
> 4.do the above steps every 15 mins
>
> The problem is sometimes the zone files in the ./singed/ may be not signed by ods-signer
> sign --all, it may be signed by automatic resign, so sometimes the RRs in the zones are
> not the exact ones in db. So as you suggested, I have changed the resign value to a relatively
> large number but I find that I have to changed refresh, validity/default,validity/denial, too,
> so I can not set the resign period to 1Y for example, because refresh should be larger than resign
> and validity/default and validity/denial should be larger than refresh. I think the validity is 30D
> which is commonly used by registries, so can you recommend other values?
>
> And I knew that if a zone is not signed compeltely, ods-signerd will only create a <zone>.tmp file in
> ./signed/, but in my test I have found that a zone has been scped to the hidden master with less size
> than its supposed size, and its file name is test not test.tmp, so my program is sure that it's signed completely
> and transfer it to the destination. Is there a possibility that ods-signerd signs zone file not completely and
> make <zone>.tmp to <zone>? If not, I can hardly understand why the signed file is more less than the unsigned one.
Perhaps you can send us your xml files and log files offlist?
Thanks
Sara.
>
> Best regards,
> Stuart
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120912/3bb92eb8/attachment.htm>
More information about the Opendnssec-user
mailing list