[Opendnssec-user] Zone signing after Notify...

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Jan 14 09:54:24 UTC 2014

Hi Catalin,

On 01/13/2014 10:51 PM, Catalin Leanca wrote:
> Hello everybody,
> I'm planning to implement OpenDNSSEC for a large zone that uses dynamic
> updates.
> I have a question about Signer Engine component.
> If OpenDNSSEC receives a Notify from hidden master and transfers
> updated/new records using IXFR
> it will resign the entire zone or only the records contained in the IXFR ?

OpenDNSSEC 1.4 will request an IXFR from the master and it will apply
the differences. A re-sign will follow and will sign the following RRsets:

* All the new records that were in the IXFR.
* The changed NSEC/NSEC3 records because of added /removed RRsets.
* Existing RRsets that need its signature to be refreshed.

So: It will check the whole zone, but will only resign those RRsets that
require a new signature (basically the RRs from the IXFR plus a few more).

> And how will transfer the new zone to slaves ? Using IXFR or AXFR ?

When a new signed zone has been produced, the signer will send a NOTIFY
to its secondaries. Upon an IXFR request, it will serve IXFR. The signer
engine keeps up to three IXFRs in its journal.

How to configure the master and the secondaries is documented here:


Best regards,

> Thanks,
> Catalin Leanca
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

More information about the Opendnssec-user mailing list