Brandon Applegate <[email protected]> wrote:
>
> Tonight though in about an hour, the serial number was incremented 12
> times and NOTIFYs sent. My home firewall is stable, and my DKIM
> rotation happens monthly via cron. So there’s nothing in the logs
> regarding a DDNS update.
>
> My question is - what could prompt these changes ? I don’t see a
> pattern in time or anything else in the logs.
The prompt would have been regular zone re-signing activity, which (as
Mark says) is done in small chunks. You can control the size of the chunks
with the `sig-signing-nodes` and `sig-signing-signatures` options. If you
want to reduce NOTIFY / IXFR traffic, you might want to increase these
options, though it's probably only a good idea if you have a hidden
primary server that isn't answering other queries.
You should find that re-signing gets spread out over time due to update
activity and because of the randomizing jitter that Mark mentioned. So on
a more mature zone you might not get such an intense flurry of signature
updates. The jitter is 1 hour (in normal configurations) and there isn't
a direct way to change it, unlike the -j option to `dnssec-signzone`.
Tony.
--
f.anthony.n.finch <[email protected]> http://dotat.at/
Wight: South 4 to 6, becoming variable 3 or less. Slight, occasionally
moderate at first. Showers, perhaps thundery. Moderate or good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
