[Opendnssec-user] resign interval PT0S

Rick van Rein rick at openfortress.nl
Tue Mar 17 13:56:03 UTC 2015


Hi Emil,

> I have a setup where the desired behavior is that the signer runs and actually sign a zone only when manually triggered via "ods-signer sign <zone>. I mean the ods-signerd process is running all the time, but only running the above command manually or via cronjob should make it sign a zone.

That sounds like a really strange approach — the idea of OpenDNSSEC is that it handles all the timing complexity for your signing, to keep signatures fresh and without requiring you to apply the relatively unsubtle cronjob tactics.  For example, think of things like spreading the load on your machine.

If your intention is to run a batch signer, I would advise you look into the standard tooling that comes with BIND9, notable dnssec-signzone, http://ftp.isc.org/www/bind/arm95/man.dnssec-signzone.html

For a more advanced approach that does work well from a crontab, you might want to look into ZKT,
http://www.hznet.de/dns/zkt/

> The reason for this setup is that the unsigned zone does not reside on the signer, but is pushed to the signer as a file (sftp), then the signing process is triggered and then the signed zone pushed out.

Are you aware of input adapters that can automate this process for you?

When you manually transfer files, it is safe to run ods-signer —sign <zone>, but I would never advise you to try and stop the signer from doing its regular thing when you don’t push it.  That is, if you are using OpenDNSSEC.

> I have 2 problems with that setup, one is that when I set the resign interval to PT0S (0 seconds), the signer runs every hour.

You are trying to set OpenDNSSEC to sign continuously?!?  Mad man ;-)  It’s actually very friendly of OpenDNSSEC to not listen to such dangerous instructions…

> The second problem […]

I have no reaction to that one.

> Any ideas how to achieve the desired behavior and how to suppress the second issue.

I would advise you to either desire different behaviour, or use different tooling.

I hope this is helpful!

Cheers,
 -Rick


More information about the Opendnssec-user mailing list