[Opendnssec-user] resign interval PT0S

Antti Ristimäki antti.ristimaki at csc.fi
Wed Mar 18 10:17:35 UTC 2015


Hi,

17.03.2015, 15:56, Rick van Rein kirjoitti:
> Hi Emil,
> 
>> I have a setup where the desired behavior is that the signer runs and actually sign a zone only when manually triggered via "ods-signer sign <zone>. I mean the ods-signerd process is running all the time, but only running the above command manually or via cronjob should make it sign a zone.
> 
> That sounds like a really strange approach — the idea of OpenDNSSEC is that it handles all the timing complexity for your signing, to keep signatures fresh and without requiring you to apply the relatively unsubtle cronjob tactics.  For example, think of things like spreading the load on your machine.

I don't see this as a strange approach. In many environments the zone
data is periodically transferred from a provisioning system to
OpenDNSSEC signer and then the signing process is triggered by issuing
"ods-signer sign <zone>" after receiving the unsigned zone.

We are also using this approach and we have configured the Resign
interval to P10Y.

Antti



More information about the Opendnssec-user mailing list