I'm afraid after changing the resign interval - everything broke. I've restarted everything with "datecounter" and [AI]XFR an unsigned zone that is only regenerated every 30 minutes. Also use a 30 minutes resign in KASP. Everything currently working.
I want "datecounter" because "unixtime" ends (hopefully) within my lifetime - January 19, 2038 03:14:08 GMT - and its getting uncomfortably close. On 07/10/2016 10:01, Yuri Schaeffer wrote: > Hi Mark, > > On 06-10-16 17:58, Mark Elkins wrote: >> Oct 6 17:45:01 signer1 ods-signerd: [namedb] zone za cannot keep SOA >> SERIAL from input zone (2016100627): previous output SOA SERIAL is >> 2016100627 >> Oct 6 17:45:01 signer1 ods-signerd: [zone] unable to update zone za soa >> serial: Conflict detected > > I think it is because your resign interval is 15 minutes and you are > getting XFR's every 15 minutes. There is a chance the signer will have 2 > consecutive runs but did not see an XFR in between. The signer will > retry a bit later and no harm was done. > > To get rid of this message I would advice to raise the resign interval a > bit. Maybe even to 2*[XFR interval]. Better yet would be to have the > signer keep its own SOA serial. That way it can still refresh signatures > even if you don't get XFRs for some period. > > Regards, > Yuri > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -- Mark James ELKINS - Posix Systems - (South) Africa [email protected] Tel: +27.128070590 Cell: +27.826010496 For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
