Emil,
On 03/18/2015 01:15 PM, Emil Natan wrote:
We do the monitoring and do not rely solely on OpenDNSSEC to manage the
signed zones anyway.
But two things are still making me crazy. One is how ODS manages to
create a signed zone when the unsigned zone is missing. I also remove
the <zone>.backup2 file, but the signed zone is still created and it
contains real data.
The only reasons that this occurs and that I can think of are:
- The unsigned zone is still in memory
- The zone uses a DNS Input Adapter
From your mails it sounds unlikely that one of these is the cause though...
The second issue is with the signer not respecting the Resign value. I
have a machine where the resign interval was initially set to 12 hours,
then changed to 0 seconds and then to two days, in each case updating
the kasp database and even restarting both signer and enforcer services,
it keeps resigning the zone twice a day. Once a day the signing process
is triggered by a cronjob, exactly 12 hours later it happens by itself.
And the signconf file created by the enforcer clearly states
"<Resign>PT172800S</Resign>"
This can be considered a bug:
https://github.com/opendnssec/opendnssec/blob/1.4/master/signer/src/daemon/worker.c#L467
duration2time is 0 and the signer will fall back to use the default of 1H.
To be honest, I am not sure if <Resign>PT0S</Resign> is a good idea.
Basically what it means is changing behaviour because we should not put
the zone back on the scheduler (if that makes sense).
Best regards,
Matthijs
Any idea what I'm missing?
@Antti We have a resigning cycle of 24 hours, so I decided setting the
resign value to 2 days is a good option because with the cronjob running
every day that limit should never be reached. Unfortunately I'm still
missing something.
Thanks.
Emil
On Wed, Mar 18, 2015 at 12:34 PM, Yuri Schaeffer <[email protected]
<mailto:[email protected]>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Antti,
> I don't see this as a strange approach. In many environments the
> zone data is periodically transferred from a provisioning system
> to OpenDNSSEC signer and then the signing process is triggered by
> issuing "ods-signer sign <zone>" after receiving the unsigned
> zone.
>
> We are also using this approach and we have configured the Resign
> interval to P10Y.
Rainbows and unicorns.
Until you zone content one day didn't change for "validity-jitter"
time and signatures start to expire because the signer is not allowed
to do regular maintenance.
I'm saying, you can do it. But make sure to monitor your unicorns.
//Yuri
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlUJVKMACgkQI3PTR4mhaviQIQCgz4tylfd6N/CGmGUL/LSBLPho
vk8An0BCNt9gKKarQcMDs5YaF+xL5mn1
=XrK5
-----END PGP SIGNATURE-----
_______________________________________________
Opendnssec-user mailing list
[email protected]
<mailto:[email protected]>
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
