[Opendnssec-user] resign interval PT0S

Emil Natan shlyoko at gmail.com
Tue Mar 17 14:14:31 UTC 2015 

Hi Rick,

Thank you for the advice. The reason I choose OpenDNSSEC is because of the
keys management and not because of the signing functionality. It's also
"fluent" in PKCS11 to work with HSM, when other tools required openssl +
patches, at least at the time the system was planned.

The reason to set the Resign interval to PT0S is to actually disable it. I
do not remember when I saw it documented, but it works for the Refresh
interval (disables refreshing of the signatures).

And the setup is as is because the zones are generated by another system
and they require in depth testing on both unsigned zones before signing and
the signed zones before sending them to the distribution masters.

Emil

On Tue, Mar 17, 2015 at 3:56 PM, Rick van Rein <rick at openfortress.nl> wrote:

> Hi Emil,
>
> > I have a setup where the desired behavior is that the signer runs and
> actually sign a zone only when manually triggered via "ods-signer sign
> <zone>. I mean the ods-signerd process is running all the time, but only
> running the above command manually or via cronjob should make it sign a
> zone.
>
> That sounds like a really strange approach — the idea of OpenDNSSEC is
> that it handles all the timing complexity for your signing, to keep
> signatures fresh and without requiring you to apply the relatively unsubtle
> cronjob tactics.  For example, think of things like spreading the load on
> your machine.
>
> If your intention is to run a batch signer, I would advise you look into
> the standard tooling that comes with BIND9, notable dnssec-signzone,
> http://ftp.isc.org/www/bind/arm95/man.dnssec-signzone.html
>
> For a more advanced approach that does work well from a crontab, you might
> want to look into ZKT,
> http://www.hznet.de/dns/zkt/
>
> > The reason for this setup is that the unsigned zone does not reside on
> the signer, but is pushed to the signer as a file (sftp), then the signing
> process is triggered and then the signed zone pushed out.
>
> Are you aware of input adapters that can automate this process for you?
>
> When you manually transfer files, it is safe to run ods-signer —sign
> <zone>, but I would never advise you to try and stop the signer from doing
> its regular thing when you don’t push it.  That is, if you are using
> OpenDNSSEC.
>
> > I have 2 problems with that setup, one is that when I set the resign
> interval to PT0S (0 seconds), the signer runs every hour.
>
> You are trying to set OpenDNSSEC to sign continuously?!?  Mad man ;-)
> It’s actually very friendly of OpenDNSSEC to not listen to such dangerous
> instructions…
>
> > The second problem […]
>
> I have no reaction to that one.
>
> > Any ideas how to achieve the desired behavior and how to suppress the
> second issue.
>
> I would advise you to either desire different behaviour, or use different
> tooling.
>
> I hope this is helpful!
>
> Cheers,
>  -Rick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150317/3d2160c7/attachment.htm>

More information about the Opendnssec-user mailing list