[Opendnssec-user] resign interval PT0S

Emil Natan shlyoko at gmail.com
Tue Mar 17 13:43:35 UTC 2015


Hello list,

I have a setup where the desired behavior is that the signer runs and
actually sign a zone only when manually triggered via "ods-signer sign
<zone>. I mean the ods-signerd process is running all the time, but only
running the above command manually or via cronjob should make it sign a
zone. The reason for this setup is that the unsigned zone does not reside
on the signer, but is pushed to the signer as a file (sftp), then the
signing process is triggered and then the signed zone pushed out.

I have the following configuration (2 policies with the same configuration
re signatures) and I'm running version 1.4.7. According to the
documentation the signer should run every Resign interval, but that's not
the case.

                <Signatures>
                        <Resign>PT0S</Resign>
                        <Refresh>PT0S</Refresh>

                        <Validity>
                                <Default>P21D</Default>
                                <Denial>P21D</Denial>
                        </Validity>
                        <Jitter>PT0S</Jitter>
                        <InceptionOffset>PT3600S</InceptionOffset>
                 </Signatures>

I have 2 problems with that setup, one is that when I set the resign
interval to PT0S (0 seconds), the signer runs every hour. I'm operating two
separate signers (two different environments) and on one machine I see the
following error logged: "unable to retrieve resign interval for zone xxx:
duration2time() failed", nothing is logged on the second machine. I checked
the code and I see that the hardcoded default is one hour, but I do not
understand why the duration2time function fails. It's also strange I do not
see that message logged on the second machine, but the behavior is the
same, the signer is invoked every hour.

The second problem is that even when no unsigned zone file existing at the
location specified in zonelist.xml, the signer manages to create a signed
file. I presume that the .backup2 from /var/opendnssec/tmp/ is used, I just
do not have other explanation where it comes from.

Any ideas how to achieve the desired behavior and how to suppress the
second issue.

Thanks.

Emil
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150317/99592990/attachment.htm>


More information about the Opendnssec-user mailing list