[Opendnssec-user] Our unsigned zones change every 5 minutes - will they automatically be signed?

Harald A. Irmer Harald.Irmer at KIT.edu
Thu Aug 29 13:29:55 UTC 2013

Hi Patrik,

thank you!

Found out myself how it could work:

1. Some admin down the line changes/adds a zone entry at 8am on 
Saturday. I'm still sleeping.
2. Our zone production engine creates then automatically:
2.1 The primary zone, (to wich PTR points to), mainly A, AAAA and MX 
2.2 Some secondary zones, mainly A, AAAA and MX records.
2.3 IPv4 and IPv6 reverse zones.
3. Zones in /var/opendnssec/signed will be deleted.
4. Zones in /var/opendnssec/unsigned will be rsynced from zone 
production engine.
5. For all zone in 2.*:  ods-signer sign <$zone>
6. For all zone in 2.*: rsync to all nameservers 
7. Reload nameservers

Thank you, all!

On 29.08.2013 15:03, Patrik Wallström wrote:
> On Aug 29, 2013, at 2:41 PM, Harald A. Irmer <Harald.Irmer at KIT.edu> wrote:
>> Hi Ondřej,
>> thanks a lot!
>> On 29.08.2013 14:22, Ondřej Caletka wrote:
>>> Hi Harald,
>>> Dne 29.8.2013 13:56, Harald A. Irmer napsal(a):
>>>> Our unsigned zones change every 5 minutes - maybe I can defer changes up
>>>> to every 15 minutes - are the signed zones then produced accordingly
>>>> _automatically_?
>>> After update of an unsigned zone, call 'ods-signer sign <zone>'
>>> everything else is automatic.


Karlsruhe Institute of Technology (KIT)
ATIS - IT Infrastruture and Services, Faculty of Computer Science

Harald A. Irmer
IT Manager / Computer Networks Group

Am Fasanengarten 5
Building 50.34
76131 Karlsruhe, Germany

Phone: +49 721 608-46963
Fax: +49 721 608-46699
Email: harald.irmer at kit.edu

KIT University of the State of Baden-Wuerttemberg and
National Laboratory of the Helmholtz Association

More information about the Opendnssec-user mailing list