[Opendnssec-user]How to determin when signing zone work ends
Matthijs Mekking
matthijs at nlnetlabs.nl
Wed Sep 12 11:05:27 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/12/2012 11:53 AM, Sara Dickinson wrote:
> On 11 Sep 2012, at 07:08, wfXLtg== wrote:
>
>> Hi Matthijs,
>>
>> I'm now using Adapter File which is more stable than Adapter
>> DNS. The work flow is as follows: 1.generate zone files from db
>> and saved in ./unsigned/ 2.when all the zone files are ready, run
>> ods-signer sign --all 3.monitor whether there are signed zones in
>> ./signed/ and scp immediately signed zone from ./signed to hidden
>> master BIND , after transfer completeed using "rndc reload"
>
> Are you using the <NotifyCommand> mechanism for this? This is the
> best way to determine when the signing is complete.
I agree with Sara, replace the monitoring with the NotifyCommand.
>
>> to make BIND reload the newly signed zone file 4.test whether
>> 4.do the above steps every 15 mins
>>
>> The problem is sometimes the zone files in the ./singed/ may be
>> not signed by ods-signer sign --all, it may be signed by
>> automatic resign, so sometimes the RRs in the zones are not the
>> exact ones in db. So as you suggested, I have changed the resign
>> value to a relatively large number but I find that I have to
>> changed refresh, validity/default,validity/denial, too, so I can
>> not set the resign period to 1Y for example, because refresh
>> should be larger than resign and validity/default and
>> validity/denial should be larger than refresh. I think the
>> validity is 30D which is commonly used by registries, so can you
>> recommend other values?
Well, 1Y was perhaps a bit of an exaggerating example. But if you will
call ods-signer sign --all every 15 minutes, you probably are more
than safe with a resign value of a day.
>>
>> And I knew that if a zone is not signed compeltely, ods-signerd
>> will only create a <zone>.tmp file in ./signed/, but in my test I
>> have found that a zone has been scped to the hidden master with
>> less size than its supposed size, and its file name is test not
>> test.tmp, so my program is sure that it's signed completely and
>> transfer it to the destination. Is there a possibility that
>> ods-signerd signs zone file not completely and make <zone>.tmp to
>> <zone>? If not, I can hardly understand why the signed file is
>> more less than the unsigned one.
If the signer completely have written out the signed zone file to
<signed-zonefilename>.tmp, it will rename it to <signed-zonefilename>.
>
> Perhaps you can send us your xml files and log files offlist?
And I would also be interested in the the failed zone file, signed and
unsigned.
>
> Thanks
>
> Sara.
>
>>
>> Best regards, Stuart
>> _______________________________________________ Opendnssec-user
>> mailing list Opendnssec-user at lists.opendnssec.org
>> <mailto:Opendnssec-user at lists.opendnssec.org>
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQEcBAEBAgAGBQJQUGx2AAoJEA8yVCPsQCW5AOQIAKVmTf8uKA/Nao3chNFkhBSQ
1IyIAnQCleSCADZT1Zhlp6GUqljKqGW+0AxHzCWa5jg3EYI4gQeiO5PctKV65j9A
Ns609V5XT/pSa78viZ2X8oyPYLyyJMy3arGGJWa4itbZWPpd7kuGRZ3GytNqiTrY
x8o+46rmj3oBv9Mh41MW+yNsObD68Wk7HdM7RttnOYeY8J6V9g0NuoXkNo6+mDkZ
yu3vVR+YrsIJcthKi9i8WnIt1dZKddEEfl7AKIGCl8UMteLfUVXOnEd7Z+byuZ/j
Ry5UlgdUXFPTjCsfBk200X8AwQr1IBYCne5TIxQnXEmKjOrZJKK+I/FWS6Vk3Sk=
=wnul
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list