[Opendnssec-user] resign interval PT0S
Yuri Schaeffer
yuri at nlnetlabs.nl
Wed Mar 18 10:34:11 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Antti,
> I don't see this as a strange approach. In many environments the
> zone data is periodically transferred from a provisioning system
> to OpenDNSSEC signer and then the signing process is triggered by
> issuing "ods-signer sign <zone>" after receiving the unsigned
> zone.
>
> We are also using this approach and we have configured the Resign
> interval to P10Y.
Rainbows and unicorns.
Until you zone content one day didn't change for "validity-jitter"
time and signatures start to expire because the signer is not allowed
to do regular maintenance.
I'm saying, you can do it. But make sure to monitor your unicorns.
//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlUJVKMACgkQI3PTR4mhaviQIQCgz4tylfd6N/CGmGUL/LSBLPho
vk8An0BCNt9gKKarQcMDs5YaF+xL5mn1
=XrK5
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list