[Opendnssec-user] resign interval PT0S

Matthijs Mekking matthijs at pletterpet.nl
Wed Mar 18 13:33:03 UTC 2015


Emil,

On 03/18/2015 01:15 PM, Emil Natan wrote:
> We do the monitoring and do not rely solely on OpenDNSSEC to manage the
> signed zones anyway.
>
> But two things are still making me crazy. One is how ODS manages to
> create a signed zone when the unsigned zone is missing. I also remove
> the <zone>.backup2 file, but the signed zone is still created and it
> contains real data.

The only reasons that this occurs and that I can think of are:
- The unsigned zone is still in memory
- The zone uses a DNS Input Adapter

 From your mails it sounds unlikely that one of these is the cause though...


> The second issue is with the signer not respecting the Resign value. I
> have a machine where the resign interval was initially set to 12 hours,
> then changed to 0 seconds and then to two days, in each case updating
> the kasp database and even restarting both signer and enforcer services,
> it keeps resigning the zone twice a day. Once a day the signing process
> is triggered by a cronjob, exactly 12 hours later it happens by itself.
> And the signconf file created by the enforcer clearly states
> "<Resign>PT172800S</Resign>"

This can be considered a bug:

https://github.com/opendnssec/opendnssec/blob/1.4/master/signer/src/daemon/worker.c#L467

duration2time is 0 and the signer will fall back to use the default of 1H.

To be honest, I am not sure if <Resign>PT0S</Resign> is a good idea. 
Basically what it means is changing behaviour because we should not put 
the zone back on the scheduler (if that makes sense).

Best regards,
   Matthijs




>
> Any idea what I'm missing?
>
> @Antti We have a resigning cycle of 24 hours, so I decided setting the
> resign value to 2 days is a good option because with the cronjob running
> every day that limit should never be reached. Unfortunately I'm still
> missing something.
>
> Thanks.
>
> Emil
>
>
>
>
> On Wed, Mar 18, 2015 at 12:34 PM, Yuri Schaeffer <yuri at nlnetlabs.nl
> <mailto:yuri at nlnetlabs.nl>> wrote:
>
>     -----BEGIN PGP SIGNED MESSAGE-----
>     Hash: SHA1
>
>     Hi Antti,
>
>     > I don't see this as a strange approach. In many environments the
>     > zone data is periodically transferred from a provisioning system
>     > to OpenDNSSEC signer and then the signing process is triggered by
>     > issuing "ods-signer sign <zone>" after receiving the unsigned
>     > zone.
>     >
>     > We are also using this approach and we have configured the Resign
>     > interval to P10Y.
>
>     Rainbows and unicorns.
>
>     Until you zone content one day didn't change for "validity-jitter"
>     time and signatures start to expire because the signer is not allowed
>     to do regular maintenance.
>
>     I'm saying, you can do it. But make sure to monitor your unicorns.
>
>     //Yuri
>     -----BEGIN PGP SIGNATURE-----
>     Version: GnuPG v1
>
>     iEYEARECAAYFAlUJVKMACgkQI3PTR4mhaviQIQCgz4tylfd6N/CGmGUL/LSBLPho
>     vk8An0BCNt9gKKarQcMDs5YaF+xL5mn1
>     =XrK5
>     -----END PGP SIGNATURE-----
>     _______________________________________________
>     Opendnssec-user mailing list
>     Opendnssec-user at lists.opendnssec.org
>     <mailto:Opendnssec-user at lists.opendnssec.org>
>     https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>



More information about the Opendnssec-user mailing list