-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
18.03.2015, 12:34, Yuri Schaeffer kirjoitti: > Hi Antti, > >> I don't see this as a strange approach. In many environments the >> zone data is periodically transferred from a provisioning system >> to OpenDNSSEC signer and then the signing process is triggered >> by issuing "ods-signer sign <zone>" after receiving the unsigned >> zone. > >> We are also using this approach and we have configured the >> Resign interval to P10Y. > > Rainbows and unicorns. > > Until you zone content one day didn't change for "validity-jitter" > time and signatures start to expire because the signer is not > allowed to do regular maintenance. > > I'm saying, you can do it. But make sure to monitor your unicorns. Yes, we can do it and we are doing it, without issues so fat. And we do monitor, which unfortunately is not true for every player operating DNSSEC signed zones.. Besides, the timing parameters should be chosen in a way that the zone update process can be stopped for many days until signatures start to expire. Antti -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBAgAGBQJVCXjVAAoJEEVKdXcdkQHcFEgP/38OuxBG15K6IovSbshgN+mj pAIJof7u82WsNY51kn0HZIUOvZCZlR1XCBfgp7I96Coa40qdIfWn9h/3m7dUxavM GGpyBYVPK6xRkA0EXWUHgubAgJMHpEIuc/vz27pnSeOUe7mvymm4xqI/NDZwoRKK rJNcYPEiFZmQbXfs4od259r/sIw+qrY7+dfmU+oC5j+LrJR9HJPX1gEtVPlvIM+s TToId0FQV2KxQw5rt4aBqvxbJj6wn3bDWDF+aoRQcUlSoet9TnNkwVQTW+fDwLOi GvljCSxJWV77nnnKMdmL4z2h6fb22K/RcslrSJi8409nimbJoXoBSrSuzwHZpkht HEX+TJKiLT8wf6KZ5k+7D/XWAjpvrJHHqsR/ve2couiO4oPVV71QqauIwOgQkP8w 3W/IAc9x+NKX/nDxzBkd+UkcSMw4aeAhParXfeGwOS+v7sIXGTMA5DaGcW18tutf 3S8iUoiv00HEL879GC+F5d6UQCNgmLk8D7dsu3kxNkV7+FaShfMLMBqT5knfmB5B zTyGu4F83WVqYbBgzDJX+fWv5Nw5PNq2YK30P2OM12nn+TFOzxB1czXEFjE1IJ9J Gn2eK4hBOHAkaSfVUcubQw8yIZue1HuFesNIIsMnM0R8eymrYM8hSAMvBnaABvrw eZBIW2/gc2Y9por8RrRW =y0uv -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
