On 04/04/13 16:55, Carlos M. Martinez wrote:
Thank you very much for all the bits, certainly very helpful.
My problem is that this cycle of zone signing triggers zone number
increases and generates dozens of NOTIFY messages and the corresponding
zone transfers to all slaves within a short period of time, something
which I believe is not very friendly to my gracious slave service
providers.
You might ask your secondary if they care. We secondary for some people,
and my view is that I don't care if they send me one NOTIFY a minute and
I'm constantly doing tiny IXFR - I just don't care, or see why it's a
problem.
But I know some people don't like it. We don't send NOTIFY to one of our
secondaries for this reason, and that copy of the zone lags by
0->refresh. It's not a huge problem for me, so if you can tolerate it,
"notify explicit" might help.
Since my signer instance does not provide public service, I would rather
prefer the signing to be done in a single op and then send a single
NOTIFY to slaves.
Maybe my problem is 'auto-dnssec maintain', maybe I would be better off
with the other options.
Well... you might be able to tweak the various sig-* options to bundle
up the signing, but that might adversely affect other stuff.
How big is the zone? You could just "cron" a "dnssec-signzone" if it's
reasonably sized.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
