[Opendnssec-user] Enforcerd and signerd decoupling

Antti Ristimäki antti.ristimaki at csc.fi
Fri Apr 11 12:44:00 UTC 2014


03.04.2014 12:12, Siôn Lloyd kirjoitti:
> One thing first; even a static zone is being resigned and published on
> the timescales defined by your signature Resign and Refresh parameters.

There are cases where the Resign-interval is set to basically infinite
so that the zone signing process in only triggered by the update from
the zone provisioning system. I guess at least some TLD zones are
operated this way.

> So even if the system which creates the unsigned zones breaks a key
> rollover can happily progress.

This is exactly where the problem lies in case the zone provisioning
system is down. Enforcerd "happily" completes the key rollover although
actually the zone has not been signed in between.

But anyway, this marginal issue can be more or less mitigated by setting
the PublishSafety interval to long enough, as already stated.

Antti




More information about the Opendnssec-user mailing list