We do the monitoring and do not rely solely on OpenDNSSEC to manage the signed zones anyway.
But two things are still making me crazy. One is how ODS manages to create a signed zone when the unsigned zone is missing. I also remove the <zone>.backup2 file, but the signed zone is still created and it contains real data. The second issue is with the signer not respecting the Resign value. I have a machine where the resign interval was initially set to 12 hours, then changed to 0 seconds and then to two days, in each case updating the kasp database and even restarting both signer and enforcer services, it keeps resigning the zone twice a day. Once a day the signing process is triggered by a cronjob, exactly 12 hours later it happens by itself. And the signconf file created by the enforcer clearly states "<Resign>PT172800S</Resign>" Any idea what I'm missing? @Antti We have a resigning cycle of 24 hours, so I decided setting the resign value to 2 days is a good option because with the cronjob running every day that limit should never be reached. Unfortunately I'm still missing something. Thanks. Emil On Wed, Mar 18, 2015 at 12:34 PM, Yuri Schaeffer <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Antti, > > > I don't see this as a strange approach. In many environments the > > zone data is periodically transferred from a provisioning system > > to OpenDNSSEC signer and then the signing process is triggered by > > issuing "ods-signer sign <zone>" after receiving the unsigned > > zone. > > > > We are also using this approach and we have configured the Resign > > interval to P10Y. > > Rainbows and unicorns. > > Until you zone content one day didn't change for "validity-jitter" > time and signatures start to expire because the signer is not allowed > to do regular maintenance. > > I'm saying, you can do it. But make sure to monitor your unicorns. > > //Yuri > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iEYEARECAAYFAlUJVKMACgkQI3PTR4mhaviQIQCgz4tylfd6N/CGmGUL/LSBLPho > vk8An0BCNt9gKKarQcMDs5YaF+xL5mn1 > =XrK5 > -----END PGP SIGNATURE----- > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
