Hi Matthijs,
I'm now using Adapter File which is more stable than Adapter DNS.
The work flow is as follows:
1.generate zone files from db and saved in ./unsigned/
2.when all the zone files are ready, run ods-signer sign --all
3.monitor whether there are signed zones in ./signed/ and scp immediately
signed
zone from ./signed to hidden master BIND , after transfer completeed using
"rndc reload"
to make BIND reload the newly signed zone file
4.test whether
4.do the above steps every 15 mins
The problem is sometimes the zone files in the ./singed/ may be not signed by
ods-signer
sign --all, it may be signed by automatic resign, so sometimes the RRs in the
zones are
not the exact ones in db. So as you suggested, I have changed the resign value
to a relatively
large number but I find that I have to changed refresh,
validity/default,validity/denial, too,
so I can not set the resign period to 1Y for example, because refresh should be
larger than resign
and validity/default and validity/denial should be larger than refresh. I think
the validity is 30D
which is commonly used by registries, so can you recommend other values?
And I knew that if a zone is not signed compeltely, ods-signerd will only
create a <zone>.tmp file in
./signed/, but in my test I have found that a zone has been scped to the hidden
master with less size
than its supposed size, and its file name is test not test.tmp, so my program
is sure that it's signed completely
and transfer it to the destination. Is there a possibility that ods-signerd
signs zone file not completely and
make <zone>.tmp to <zone>? If not, I can hardly understand why the signed file
is more less than the unsigned one.
Best regards,
Stuart
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
