Hi, 17.03.2015, 15:56, Rick van Rein kirjoitti: > Hi Emil, > >> I have a setup where the desired behavior is that the signer runs and >> actually sign a zone only when manually triggered via "ods-signer sign >> <zone>. I mean the ods-signerd process is running all the time, but only >> running the above command manually or via cronjob should make it sign a zone. > > That sounds like a really strange approach — the idea of OpenDNSSEC is that > it handles all the timing complexity for your signing, to keep signatures > fresh and without requiring you to apply the relatively unsubtle cronjob > tactics. For example, think of things like spreading the load on your > machine.
I don't see this as a strange approach. In many environments the zone data is periodically transferred from a provisioning system to OpenDNSSEC signer and then the signing process is triggered by issuing "ods-signer sign <zone>" after receiving the unsigned zone. We are also using this approach and we have configured the Resign interval to P10Y. Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
