[Opendnssec-user] resign interval PT0S
Matthijs Mekking
matthijs at pletterpet.nl
Wed Mar 18 13:33:03 UTC 2015
Emil,
On 03/18/2015 01:15 PM, Emil Natan wrote:
> We do the monitoring and do not rely solely on OpenDNSSEC to manage the
> signed zones anyway.
>
> But two things are still making me crazy. One is how ODS manages to
> create a signed zone when the unsigned zone is missing. I also remove
> the <zone>.backup2 file, but the signed zone is still created and it
> contains real data.
The only reasons that this occurs and that I can think of are:
- The unsigned zone is still in memory
- The zone uses a DNS Input Adapter
From your mails it sounds unlikely that one of these is the cause though...
> The second issue is with the signer not respecting the Resign value. I
> have a machine where the resign interval was initially set to 12 hours,
> then changed to 0 seconds and then to two days, in each case updating
> the kasp database and even restarting both signer and enforcer services,
> it keeps resigning the zone twice a day. Once a day the signing process
> is triggered by a cronjob, exactly 12 hours later it happens by itself.
> And the signconf file created by the enforcer clearly states
> "<Resign>PT172800S</Resign>"
This can be considered a bug:
https://github.com/opendnssec/opendnssec/blob/1.4/master/signer/src/daemon/worker.c#L467
duration2time is 0 and the signer will fall back to use the default of 1H.
To be honest, I am not sure if <Resign>PT0S</Resign> is a good idea.
Basically what it means is changing behaviour because we should not put
the zone back on the scheduler (if that makes sense).
Best regards,
Matthijs
>
> Any idea what I'm missing?
>
> @Antti We have a resigning cycle of 24 hours, so I decided setting the
> resign value to 2 days is a good option because with the cronjob running
> every day that limit should never be reached. Unfortunately I'm still
> missing something.
>
> Thanks.
>
> Emil
>
>
>
>
> On Wed, Mar 18, 2015 at 12:34 PM, Yuri Schaeffer <yuri at nlnetlabs.nl
> <mailto:yuri at nlnetlabs.nl>> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Antti,
>
> > I don't see this as a strange approach. In many environments the
> > zone data is periodically transferred from a provisioning system
> > to OpenDNSSEC signer and then the signing process is triggered by
> > issuing "ods-signer sign <zone>" after receiving the unsigned
> > zone.
> >
> > We are also using this approach and we have configured the Resign
> > interval to P10Y.
>
> Rainbows and unicorns.
>
> Until you zone content one day didn't change for "validity-jitter"
> time and signatures start to expire because the signer is not allowed
> to do regular maintenance.
>
> I'm saying, you can do it. But make sure to monitor your unicorns.
>
> //Yuri
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iEYEARECAAYFAlUJVKMACgkQI3PTR4mhaviQIQCgz4tylfd6N/CGmGUL/LSBLPho
> vk8An0BCNt9gKKarQcMDs5YaF+xL5mn1
> =XrK5
> -----END PGP SIGNATURE-----
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> <mailto:Opendnssec-user at lists.opendnssec.org>
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>
>
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
More information about the Opendnssec-user
mailing list