Jake, It’s not only the signing time that is of consequence. After full resign of your zone, you also enforce a full AXFR of your zone to your nameservers. We fully trust on the operation of OpenDNSSEC btw. After a few checks and such, before publishing the zone… ;-)
Marc From: Opendnssec-user <[email protected]> on behalf of Jake Zack <[email protected]> Date: Tuesday, 27 September 2016 at 17:37 To: "[email protected] List" <[email protected]> Subject: Re: [Opendnssec-user] Zone signed by key in retire state Confirmed it does work (nuking signature cache and restarting Ods)… CIRA’s signing system signs separately with both BIND and ODS, then compares at the end, and only after validity checks and comparison is it published to the world…so we’ve occasionally seen ODS have signatures that haven’t expired yet for outgoing keys cause issues where BIND doesn’t have the same signatures on-hand. It’s not ideal, as stated below…because it causes a full re-sign of the zone…versus using the perfectly valid signatures under the old key. If you have a small zone, though, I guess the extra few seconds of signing time probably isn’t a major concern. We tend to do: /sbin/service ods-signerd stop rm –rf /var/opendnssec/tmp/* /var/opendnssec/signed/* /sbin/service ods-signerd start We stop and restart ods-signerd because we’re set to “keep” serial rather than increment…and ods-signerd doesn’t like signing the same serial twice. We’re moving away from the dual-signer setup, now, however, as we believe both software’s have matured in their DNSSEC handling, and after years of comparing zone output, the value in combing over minute differences in outputs is no longer as substantial as it once was. -jake From: Opendnssec-user [mailto:[email protected]] On Behalf Of Arun Natarajan Sent: Tuesday, September 27, 2016 11:14 AM To: Yuri Schaeffer Cc: [email protected] List Subject: Re: [Opendnssec-user] Zone signed by key in retire state Thanks Yuri, OpenDNSSEC tries to keep signatures in the zone as long as they are valid. Only when a signature expires and thus needs a resign, the signature is generated with the new ZSK. You'll notice that some signatures are generated with the new ZSK and some with the old ZSK. The signature validity is configurable in the KASP. During that time both ZSKs have their DNSKEY record published in the zone. My understanding was, it create new signatures with the new key once the keys is rolled. > I guess if we clear the ods and run signer again it will work, but > wondering why it does not happen automatically? It would work, but it is probably not what you want. Yeah, probably not a good idea. Might be useful in emergency roll over though. -- arun Regards, Yuri _______________________________________________ Opendnssec-user mailing list [email protected]<mailto:[email protected]> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
