Hi, The signer does not understand the notion of disable automatic resigning. However, you could set the resign period to such a high value that it will never be reached. For example one year (P1Y). Once you run ods-signer sign --all, the resign period will be reset to one year again from that moment in time.
Best regards, Matthijs On 09/10/2012 08:02 AM, Áõ˶ wrote: > Hi Matthijs, >>You can either run ods-signer <zone> for each zone, or ods-signer sign >>- --all to schedule them all. The automatic resigning will still work. >>The ods-signer sign command is there just to tell OpenDNSSEC there is >>new zone content. A zone will never be worked on more than once at a >>time: if a sign task is currently being done, an ods-signer sign >>command will be scheduled after the current sign task is finished. > > We want to know if there is a way to disable the automatic resigning > because it will only sign the RRs in the memory which do not contain > newly add RRs. And I know that the only way that can make the newly > add RRs signed by ods-signerd is by running ods-signer sign <zone> or > --all, but the automatic resigning will not stop working even there > will not be two or more ods-signerd signing the same zone at the same > time. But I think the automatic resigning is useless in this situation > that our RRs are in a quick changing environment, I want to sign only > the current status of the zone data which the automatic resigning will > not satisfy at some time. > > e.g. I want re-load the whole data from db at every 15min and generate new > zone files, after new zone files are generated, I would run ods-signer > sign --all > to sign all the zones. When zones are signed I would make BIND reload them > immediately, there could be a situation that just after BIND's reloading > then > the automatic resigning get the opportunity to sign the zones in the > memory, all of > which are signed just now by manually-executed command, and at this time > BIND > will reload the zones again which have the same RRs. So I think it's > useful to > have the feature of disable automatic resigning and let > manually-executed command > take over the signing function. The advantages are that the RRs are the > right ones > in db and free the CPU from resigning the same data again which is set > off by automatic > resigning. Or I think the automatic resigning should reload > the data from /unsigned directory instead of resigning the RRs in the > memory. > > I hope I have explained clearly, any suggestions? > > > Best regards, > Stuart >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
