[Opendnssec-user]How to determin when signing zone work ends

Matthijs Mekking matthijs at nlnetlabs.nl
Wed Sep 12 11:05:27 UTC 2012 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 11:53 AM, Sara Dickinson wrote:
> On 11 Sep 2012, at 07:08, wfXLtg== wrote:
> 
>> Hi Matthijs,
>> 
>> I'm now using Adapter File which is more stable than Adapter
>> DNS. The work flow is as follows: 1.generate zone files from db
>> and saved in ./unsigned/ 2.when all the zone files are ready, run
>> ods-signer sign --all 3.monitor whether there are signed zones in
>> ./signed/ and scp immediately signed zone from ./signed to hidden
>> master BIND , after transfer completeed using "rndc reload"
> 
> Are you using the <NotifyCommand> mechanism for this? This is the
> best way to determine when the signing is complete.

I agree with Sara, replace the monitoring with the NotifyCommand.

> 
>> to make BIND reload the newly signed zone file 4.test whether 
>> 4.do the above steps every 15 mins
>> 
>> The problem is sometimes the zone files in the ./singed/ may be
>> not signed by ods-signer sign --all, it may be signed by
>> automatic resign, so sometimes the RRs in the zones are not the
>> exact ones in db. So as you suggested, I have changed the resign
>> value to a relatively large number but I find that I have to
>> changed refresh, validity/default,validity/denial, too, so I can
>> not set the resign period to 1Y for example, because refresh 
>> should be larger than resign and validity/default and
>> validity/denial should be larger than refresh. I think the
>> validity is 30D which is commonly used by registries, so can you
>> recommend other values?

Well, 1Y was perhaps a bit of an exaggerating example. But if you will
call ods-signer sign --all every 15 minutes, you probably are more
than safe with a resign value of a day.


>> 
>> And I knew that if a zone is not signed compeltely, ods-signerd
>> will only create a <zone>.tmp file in ./signed/, but in my test I
>> have found that a zone has been scped to the hidden master with
>> less size than its supposed size, and its file name is test not
>> test.tmp, so my program is sure that it's signed completely and
>> transfer it to the destination. Is there a possibility that 
>> ods-signerd signs zone file not completely and make <zone>.tmp to
>> <zone>? If not, I can hardly understand why the signed file is
>> more less than the unsigned one.

If the signer completely have written out the signed zone file to
<signed-zonefilename>.tmp, it will rename it to <signed-zonefilename>.

> 
> Perhaps you can send us your xml files and log files offlist?

And I would also be interested in the the failed zone file, signed and
unsigned.

> 
> Thanks
> 
> Sara.
> 
>> 
>> Best regards, Stuart 
>> _______________________________________________ Opendnssec-user
>> mailing list Opendnssec-user at lists.opendnssec.org 
>> <mailto:Opendnssec-user at lists.opendnssec.org> 
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQUGx2AAoJEA8yVCPsQCW5AOQIAKVmTf8uKA/Nao3chNFkhBSQ
1IyIAnQCleSCADZT1Zhlp6GUqljKqGW+0AxHzCWa5jg3EYI4gQeiO5PctKV65j9A
Ns609V5XT/pSa78viZ2X8oyPYLyyJMy3arGGJWa4itbZWPpd7kuGRZ3GytNqiTrY
x8o+46rmj3oBv9Mh41MW+yNsObD68Wk7HdM7RttnOYeY8J6V9g0NuoXkNo6+mDkZ
yu3vVR+YrsIJcthKi9i8WnIt1dZKddEEfl7AKIGCl8UMteLfUVXOnEd7Z+byuZ/j
Ry5UlgdUXFPTjCsfBk200X8AwQr1IBYCne5TIxQnXEmKjOrZJKK+I/FWS6Vk3Sk=
=wnul
-----END PGP SIGNATURE-----

More information about the Opendnssec-user mailing list