Re: The signed domain file rewritten
On Tue 12/Nov/2019 18:18:52 +0100 Tony Finch wrote: > Alessandro Vesely wrote: >> >> It doesn't seem to happen every day, but can happen again on the next day. >> Can >> the period be controlled? > > It depends on the size of the zone (bigger zone -> more frequent upates), > how widely scattered the RRSIG expiry times are (which depends on how the > zone is updated and how it was originally signed), how long ago it was > signed (the expiry times have a bit of jitter so they should gradually > spread out over) and on the sig-validity-interval setting. That makes sense. I left sig-validity-interval at its default (30 days) and from October 19 to November 11 (the dates of the files) there are 23 days, while 30 * (1 - 1/4) = 22.5. Looking closer, I realized that the next day signature was not rewritten in the same view. Perhaps the jitter can be cured by setting a multiple of 4 as the validity interval... Thank you for the detailed explanation Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
On Tue 12/Nov/2019 13:39:30 +0100 Jim Popovitch via bind-users wrote: > On 11/12/19 4:42 AM, Alessandro Vesely wrote: >> Hi, >> >> I have a signed domain, with inline-signing yes and auto-dnssec maintain. >> >> Although the domain is static, the .signed and .signed.jnl files are being >> rewritten without apparent reason. They are about a month newer than the >> corresponding .jbk and base files. >> >> I notice that because of tripwire complaints. I guess I have to tweak that >> config, unless there's a way to prevent or foresee those rewritings. >> > > I use this in twpol.txt: > > { > /etc -> $(SEC_BIN) (recurse=true) ; > !/etc/bind/zone ; > > Yeah, that's a possibility. Not that I rely on tripwire more than I should, but leaving the zone outside the controlled area means to blindly sign whatever happens to be in the zone. Best Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
Alessandro Vesely wrote: > > It doesn't seem to happen every day, but can happen again on the next day. > Can > the period be controlled? It depends on the size of the zone (bigger zone -> more frequent upates), how widely scattered the RRSIG expiry times are (which depends on how the zone is updated and how it was originally signed), how long ago it was signed (the expiry times have a bit of jitter so they should gradually spread out over) and on the sig-validity-interval setting. Tony. -- f.anthony.n.finchhttp://dotat.at/ Viking, North Utsire, South Utsire: Easterly or northeasterly 4 to 6, becoming cyclonic 2 for a time. Rough becoming moderate. Rain. Good, occasionally poor. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
On Tue 12/Nov/2019 12:09:06 +0100 Mark Andrews wrote: > The RRSIGs need to be regenerated periodically. This is the changes you are > seeing. > It doesn't seem to happen every day, but can happen again on the next day. Can the period be controlled? Best Ale -- ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
On 11/12/19 4:42 AM, Alessandro Vesely wrote: Hi, I have a signed domain, with inline-signing yes and auto-dnssec maintain. Although the domain is static, the .signed and .signed.jnl files are being rewritten without apparent reason. They are about a month newer than the corresponding .jbk and base files. I notice that because of tripwire complaints. I guess I have to tweak that config, unless there's a way to prevent or foresee those rewritings. I use this in twpol.txt: { /etc-> $(SEC_BIN) (recurse=true) ; !/etc/bind/zone ; Why does bind rewrite that file? Because someone forgot to put dynamic files in /var ? :P https://en.wikipedia.org/wiki/Unix_filesystem -Jim P. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: The signed domain file rewritten
The RRSIGs need to be regenerated periodically. This is the changes you are seeing. -- Mark Andrews > On 12 Nov 2019, at 20:42, Alessandro Vesely wrote: > > Hi, > > I have a signed domain, with inline-signing yes and auto-dnssec maintain. > > Although the domain is static, the .signed and .signed.jnl files are being > rewritten without apparent reason. They are about a month newer than the > corresponding .jbk and base files. > > I notice that because of tripwire complaints. I guess I have to tweak that > config, unless there's a way to prevent or foresee those rewritings. > > Why does bind rewrite that file? > > > Best > Ale > -- > > > > > > > > > > > > > ___ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users