[Opendnssec-user] resign interval PT0S

Emil Natan shlyoko at gmail.com
Wed Mar 18 12:15:19 UTC 2015 

We do the monitoring and do not rely solely on OpenDNSSEC to manage the
signed zones anyway.

But two things are still making me crazy. One is how ODS manages to create
a signed zone when the unsigned zone is missing. I also remove the
<zone>.backup2 file, but the signed zone is still created and it contains
real data.

The second issue is with the signer not respecting the Resign value. I have
a machine where the resign interval was initially set to 12 hours, then
changed to 0 seconds and then to two days, in each case updating the kasp
database and even restarting both signer and enforcer services, it keeps
resigning the zone twice a day. Once a day the signing process is triggered
by a cronjob, exactly 12 hours later it happens by itself. And the signconf
file created by the enforcer clearly states "<Resign>PT172800S</Resign>"

Any idea what I'm missing?

@Antti We have a resigning cycle of 24 hours, so I decided setting the
resign value to 2 days is a good option because with the cronjob running
every day that limit should never be reached. Unfortunately I'm still
missing something.

Thanks.

Emil




On Wed, Mar 18, 2015 at 12:34 PM, Yuri Schaeffer <yuri at nlnetlabs.nl> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Antti,
>
> > I don't see this as a strange approach. In many environments the
> > zone data is periodically transferred from a provisioning system
> > to OpenDNSSEC signer and then the signing process is triggered by
> > issuing "ods-signer sign <zone>" after receiving the unsigned
> > zone.
> >
> > We are also using this approach and we have configured the Resign
> > interval to P10Y.
>
> Rainbows and unicorns.
>
> Until you zone content one day didn't change for "validity-jitter"
> time and signatures start to expire because the signer is not allowed
> to do regular maintenance.
>
> I'm saying, you can do it. But make sure to monitor your unicorns.
>
> //Yuri
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlUJVKMACgkQI3PTR4mhaviQIQCgz4tylfd6N/CGmGUL/LSBLPho
> vk8An0BCNt9gKKarQcMDs5YaF+xL5mn1
> =XrK5
> -----END PGP SIGNATURE-----
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20150318/c9b68a97/attachment.htm>

More information about the Opendnssec-user mailing list