[Opendnssec-user] resign interval PT0S

[Antti Ristimäki]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

18.03.2015, 12:34, Yuri Schaeffer kirjoitti:
> Hi Antti,
> 
>> I don't see this as a strange approach. In many environments the 
>> zone data is periodically transferred from a provisioning system 
>> to OpenDNSSEC signer and then the signing process is triggered
>> by issuing "ods-signer sign <zone>" after receiving the unsigned 
>> zone.
> 
>> We are also using this approach and we have configured the
>> Resign interval to P10Y.
> 
> Rainbows and unicorns.
> 
> Until you zone content one day didn't change for "validity-jitter" 
> time and signatures start to expire because the signer is not
> allowed to do regular maintenance.
> 
> I'm saying, you can do it. But make sure to monitor your unicorns.

Yes, we can do it and we are doing it, without issues so fat. And we
do monitor, which unfortunately is not true for every player operating
DNSSEC signed zones..

Besides, the timing parameters should be chosen in a way that the zone
update process can be stopped for many days until signatures start to
expire.

Antti
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJVCXjVAAoJEEVKdXcdkQHcFEgP/38OuxBG15K6IovSbshgN+mj
pAIJof7u82WsNY51kn0HZIUOvZCZlR1XCBfgp7I96Coa40qdIfWn9h/3m7dUxavM
GGpyBYVPK6xRkA0EXWUHgubAgJMHpEIuc/vz27pnSeOUe7mvymm4xqI/NDZwoRKK
rJNcYPEiFZmQbXfs4od259r/sIw+qrY7+dfmU+oC5j+LrJR9HJPX1gEtVPlvIM+s
TToId0FQV2KxQw5rt4aBqvxbJj6wn3bDWDF+aoRQcUlSoet9TnNkwVQTW+fDwLOi
GvljCSxJWV77nnnKMdmL4z2h6fb22K/RcslrSJi8409nimbJoXoBSrSuzwHZpkht
HEX+TJKiLT8wf6KZ5k+7D/XWAjpvrJHHqsR/ve2couiO4oPVV71QqauIwOgQkP8w
3W/IAc9x+NKX/nDxzBkd+UkcSMw4aeAhParXfeGwOS+v7sIXGTMA5DaGcW18tutf
3S8iUoiv00HEL879GC+F5d6UQCNgmLk8D7dsu3kxNkV7+FaShfMLMBqT5knfmB5B
zTyGu4F83WVqYbBgzDJX+fWv5Nw5PNq2YK30P2OM12nn+TFOzxB1czXEFjE1IJ9J
Gn2eK4hBOHAkaSfVUcubQw8yIZue1HuFesNIIsMnM0R8eymrYM8hSAMvBnaABvrw
eZBIW2/gc2Y9por8RrRW
=y0uv
-----END PGP SIGNATURE-----