-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > The only reasons that this occurs and that I can think of are: - > The unsigned zone is still in memory - The zone uses a DNS Input > Adapter > > From your mails it sounds unlikely that one of these is the cause > though...
Does the signer close the backup file? Maybe it still holds the file descriptor. //Yuri >> The second issue is with the signer not respecting the Resign >> value. I have a machine where the resign interval was initially >> set to 12 hours, then changed to 0 seconds and then to two days, >> in each case updating the kasp database and even restarting both >> signer and enforcer services, it keeps resigning the zone twice a >> day. Once a day the signing process is triggered by a cronjob, >> exactly 12 hours later it happens by itself. And the signconf >> file created by the enforcer clearly states >> "<Resign>PT172800S</Resign>" > > This can be considered a bug: > > https://github.com/opendnssec/opendnssec/blob/1.4/master/signer/src/daemon/worker.c#L467 > > > > duration2time is 0 and the signer will fall back to use the default > of 1H. > > To be honest, I am not sure if <Resign>PT0S</Resign> is a good > idea. Basically what it means is changing behaviour because we > should not put the zone back on the scheduler (if that makes > sense). > > Best regards, Matthijs > > > > >> >> Any idea what I'm missing? >> >> @Antti We have a resigning cycle of 24 hours, so I decided >> setting the resign value to 2 days is a good option because with >> the cronjob running every day that limit should never be reached. >> Unfortunately I'm still missing something. >> >> Thanks. >> >> Emil >> >> >> >> >> On Wed, Mar 18, 2015 at 12:34 PM, Yuri Schaeffer >> <[email protected] <mailto:[email protected]>> wrote: >> > Hi Antti, > >> I don't see this as a strange approach. In many environments the >> zone data is periodically transferred from a provisioning system >> to OpenDNSSEC signer and then the signing process is triggered >> by issuing "ods-signer sign <zone>" after receiving the unsigned >> zone. > >> We are also using this approach and we have configured the >> Resign interval to P10Y. > > Rainbows and unicorns. > > Until you zone content one day didn't change for "validity-jitter" > time and signatures start to expire because the signer is not > allowed to do regular maintenance. > > I'm saying, you can do it. But make sure to monitor your unicorns. > > //Yuri >> _______________________________________________ Opendnssec-user >> mailing list [email protected] >> <mailto:[email protected]> >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >> >> >> >> >> _______________________________________________ Opendnssec-user >> mailing list [email protected] >> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user >> > _______________________________________________ Opendnssec-user > mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlUJf6wACgkQI3PTR4mhavjrHwCbBR7Qun8+MJVeryGIMfTMGFDV cQgAoMOzKcpayRSLA4H7xNslhMCd2i8V =E3ce -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
