[Opendnssec-user]How to determin when signing zone work ends

Áõ˶ shuoleo at 126.com
Wed Sep 12 12:03:36 UTC 2012


Hi all,

Thanks for your replay.
I have written some scrpits to compare the signed file with the raw one, 
only if the counts of all kinds of RRs and RRSIGs match will it be supposed
to be valid and intact.

>And I would also be interested in the the failed zone file, signed and
>unsigned
Sorry to delete the unsigned one because it would be overwritten every 15min,
but I have noticed that the incomplete signed one lacks NSEC3 RRs and RRSIGs 
except for SOA and DNSKEY and NSEC3PARAM.

> Are you using the <NotifyCommand> mechanism for this? This is the
> best way to determine when the signing is complete.
No, I'm not. Because the signer server and the hidden master may be not the
same server(both signer server and hidden master need large amount of memory 
which may lead to high memory consumption), so I have to scp the signed file 
to hidden master which OpenDNSSEC would not do.

Best regards,
Stuart

From: Matthijs Mekking
Date: 2012-09-12 19:05
To: Sara Dickinson
CC: shuoleo; opendnssec-user
Subject: Re: [Opendnssec-user]How to determin when signing zone work ends
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/12/2012 11:53 AM, Sara Dickinson wrote:
> On 11 Sep 2012, at 07:08, wfXLtg== wrote:
> 
>> Hi Matthijs,
>> 
>> I'm now using Adapter File which is more stable than Adapter
>> DNS. The work flow is as follows: 1.generate zone files from db
>> and saved in ./unsigned/ 2.when all the zone files are ready, run
>> ods-signer sign --all 3.monitor whether there are signed zones in
>> ./signed/ and scp immediately signed zone from ./signed to hidden
>> master BIND , after transfer completeed using "rndc reload"
> 
> Are you using the <NotifyCommand> mechanism for this? This is the
> best way to determine when the signing is complete.

I agree with Sara, replace the monitoring with the NotifyCommand.

> 
>> to make BIND reload the newly signed zone file 4.test whether 
>> 4.do the above steps every 15 mins
>> 
>> The problem is sometimes the zone files in the ./singed/ may be
>> not signed by ods-signer sign --all, it may be signed by
>> automatic resign, so sometimes the RRs in the zones are not the
>> exact ones in db. So as you suggested, I have changed the resign
>> value to a relatively large number but I find that I have to
>> changed refresh, validity/default,validity/denial, too, so I can
>> not set the resign period to 1Y for example, because refresh 
>> should be larger than resign and validity/default and
>> validity/denial should be larger than refresh. I think the
>> validity is 30D which is commonly used by registries, so can you
>> recommend other values?

Well, 1Y was perhaps a bit of an exaggerating example. But if you will
call ods-signer sign --all every 15 minutes, you probably are more
than safe with a resign value of a day.


>> 
>> And I knew that if a zone is not signed compeltely, ods-signerd
>> will only create a <zone>.tmp file in ./signed/, but in my test I
>> have found that a zone has been scped to the hidden master with
>> less size than its supposed size, and its file name is test not
>> test.tmp, so my program is sure that it's signed completely and
>> transfer it to the destination. Is there a possibility that 
>> ods-signerd signs zone file not completely and make <zone>.tmp to
>> <zone>? If not, I can hardly understand why the signed file is
>> more less than the unsigned one.

If the signer completely have written out the signed zone file to
<signed-zonefilename>.tmp, it will rename it to <signed-zonefilename>.

> 
> Perhaps you can send us your xml files and log files offlist?

And I would also be interested in the the failed zone file, signed and
unsigned.

> 
> Thanks
> 
> Sara.
> 
>> 
>> Best regards, Stuart 
>> _______________________________________________ Opendnssec-user
>> mailing list Opendnssec-user at lists.opendnssec.org 
>> <mailto:Opendnssec-user at lists.opendnssec.org> 
>> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQEcBAEBAgAGBQJQUGx2AAoJEA8yVCPsQCW5AOQIAKVmTf8uKA/Nao3chNFkhBSQ
1IyIAnQCleSCADZT1Zhlp6GUqljKqGW+0AxHzCWa5jg3EYI4gQeiO5PctKV65j9A
Ns609V5XT/pSa78viZ2X8oyPYLyyJMy3arGGJWa4itbZWPpd7kuGRZ3GytNqiTrY
x8o+46rmj3oBv9Mh41MW+yNsObD68Wk7HdM7RttnOYeY8J6V9g0NuoXkNo6+mDkZ
yu3vVR+YrsIJcthKi9i8WnIt1dZKddEEfl7AKIGCl8UMteLfUVXOnEd7Z+byuZ/j
Ry5UlgdUXFPTjCsfBk200X8AwQr1IBYCne5TIxQnXEmKjOrZJKK+I/FWS6Vk3Sk=
=wnul
-----END PGP SIGNATURE-----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20120912/7f7bb59b/attachment.htm>


More information about the Opendnssec-user mailing list