[Opendnssec-user] Our unsigned zones change every 5 minutes - will they automatically be signed?

Matthijs Mekking matthijs at nlnetlabs.nl
Thu Aug 29 13:27:56 UTC 2013


On 08/29/2013 03:03 PM, Patrik Wallström wrote:
> On Aug 29, 2013, at 2:41 PM, Harald A. Irmer <Harald.Irmer at KIT.edu> wrote:
>> Hi Ondřej,
>> thanks a lot!
>> On 29.08.2013 14:22, Ondřej Caletka wrote:
>>> Hi Harald,
>>> Dne 29.8.2013 13:56, Harald A. Irmer napsal(a):
>>>> Our unsigned zones change every 5 minutes - maybe I can defer changes up
>>>> to every 15 minutes - are the signed zones then produced accordingly
>>>> _automatically_?
>>> After update of an unsigned zone, call 'ods-signer sign <zone>'
>>> everything else is automatic.
>> I would be very pleased If I had not to sit there watching when a 
>> unsigned zone is updated because some admin has made a change maybe at 
>> 7am in the morning or 22pm or on sundays. And then me enter 'ods-signer 
>> sign <zone>' Haha! Is there any hope that unsigned zone changes will be 
>> recognized maybe via BIND notify messages and signing be done 
>> automatically? VERY important for me.
> You can automate this with either a Makefile or by using a hook in you version control system (that you should probably use anyway).

If you configure OpenDNSSEC to be a zone transfer client, e.g. the
signer reads the unsigned zones by doing an AXFR or IXFR, then it will
also handle any NOTIFY packets the master sends after a zone update.
(You are going to need version 1.4 or higher).

If you let OpenDNSSEC work on unsigned zone files, you can follow
Patrik's advice.

Best regards,

> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130829/16d0eb86/attachment.bin>

More information about the Opendnssec-user mailing list